CN106372557A - Method, device and system for acquiring certificate card information - Google Patents
Method, device and system for acquiring certificate card information Download PDFInfo
- Publication number
- CN106372557A CN106372557A CN201610787018.XA CN201610787018A CN106372557A CN 106372557 A CN106372557 A CN 106372557A CN 201610787018 A CN201610787018 A CN 201610787018A CN 106372557 A CN106372557 A CN 106372557A
- Authority
- CN
- China
- Prior art keywords
- card
- certificate
- certificate card
- credential
- security control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 130
- 230000008569 process Effects 0.000 claims abstract description 72
- 230000003993 interaction Effects 0.000 claims abstract description 23
- 230000004044 response Effects 0.000 claims description 259
- 238000012790 confirmation Methods 0.000 claims description 102
- 238000012545 processing Methods 0.000 claims description 35
- 238000003860 storage Methods 0.000 claims description 28
- 230000006854 communication Effects 0.000 claims description 10
- 238000012795 verification Methods 0.000 description 24
- 230000005540 biological transmission Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 7
- 238000002360 preparation method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000002457 bidirectional effect Effects 0.000 description 4
- 230000011664 signaling Effects 0.000 description 3
- 101100310949 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SRD1 gene Proteins 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000009313 farming Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000036961 partial effect Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000002829 reductive effect Effects 0.000 description 2
- 101100310948 Caenorhabditis elegans srd-1 gene Proteins 0.000 description 1
- 101100310954 Caenorhabditis elegans srd-2 gene Proteins 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
- G06K7/10—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
- G06K7/10009—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
- G06K7/10257—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
- G06K17/0022—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device
- G06K17/0029—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device the arrangement being specially adapted for wireless interrogation of grouped or bundled articles tagged with wireless record carriers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
- G06K7/10—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
- G06K7/10009—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Toxicology (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Electromagnetism (AREA)
- Bioethics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method, a device and a system for acquiring the certificate card information. The method comprises steps that an operation request is sent by a terminal to a certificate card reading device; the operation request is received by the certificate card reading device, and a card reading request is sent to a server; the card reading request is sent by the server to first certificate card safety control equipment; the card reading request is received by the first certificate card safety control equipment so as to start a process of reading the certificate card information, information interaction between the server and the certificate card reading device and a certificate card is carried out, and the certificate card information stored in the certificate card is read; the read certificate card information is sent by the first certificate card safety control equipment to the certificate card reading device through the server; the certificate card information is received by the certificate card reading device and is sent to the terminal.
Description
Technical Field
The invention relates to the technical field of electronics, in particular to a method, a device and a system for acquiring certificate card information.
Background
The existing front-end certificate card reader is provided with at least two modules, including a reading module and a certificate card verification security control module. Because each front-end certificate card reader is provided with a certificate card verification safety control module, the manufacturing cost of the existing front-end certificate card reader is high; moreover, the certificate card safety control module can only carry out identity verification on the certificate card information read by one reading module, so that the utilization rate of the existing front-end certificate card reader is low.
Disclosure of Invention
The present invention is directed to solving one of the problems set forth above.
The invention mainly aims to provide a certificate card information acquisition method;
another object of the present invention is to provide a certificate card information acquisition apparatus;
still another object of the present invention is to provide a certificate card information acquisition system.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
scheme 1, a certificate card information acquisition method, including:
step 1, a terminal sends an operation request to a certificate card reading device;
step 2, the certificate card reading device receives the operation request;
step 3, periodically broadcasting a card searching instruction by the certificate card reading device;
step 4, the certificate card reading device receives a response message returned by the certificate card and judges that the response message is the card searching confirmation data aiming at the card searching instruction;
step 5, the certificate card reading device stops broadcasting the card searching command and sends a card searching request to a server;
step 6, the server receives the card searching request and sends the card searching request to first certificate card safety control equipment;
step 7, the first certificate card security control equipment receives the card searching request and sends a card searching response to the certificate card reading device through the server, wherein the card searching response carries card searching response data;
step 8, the certificate card reading device receives the card searching response sent by the first certificate card safety control equipment, and obtains the card searching response data;
step 9, the certificate card reading device determines that the card searching response data is response data responding to the card searching request, and sends the card searching confirmation data to the first certificate card security control device through the server;
step 10, the certificate card reading device sends a card selection instruction to the certificate card;
step 11, the certificate card reading device receives card selection confirmation data sent by the certificate card, wherein the card selection confirmation data at least comprises unique identification information of the certificate card;
step 12, the certificate card reading device sends a card selection request to the first certificate card security control equipment through the server;
step 13, the first certificate card security control equipment receives the card selection request;
step 14, the first certificate card security control equipment sends a card selection request response to the certificate card reading device through the server;
step 15, the certificate card reading device receives a card selection request response sent by the first certificate card security control equipment;
step 16, the certificate card reading device determines that the card selection request response is response data for the card selection request, and sends the card selection confirmation data to the first certificate card security control device through the server;
step 17, the certificate card reading device sends a card reading instruction to the certificate card;
step 18, the certificate card reading device receives card reading confirmation data returned by the certificate card;
step 19, the certificate card reading device sends a card reading request to the server;
step 20, the server sends the card reading request to a first certificate card safety control device;
step 21, the first certificate card security control equipment receives the card reading request, starts a process of reading certificate card information, and reads the certificate card information stored in the certificate card through information interaction between the server and the certificate card reading device and the certificate card;
step 22, the first certificate card security control equipment sends the read certificate card information to the certificate card reading device through a server;
and step 23, the certificate card reading device receives and sends the certificate card information to the terminal.
Scheme 2 the method according to scheme 1,
the card searching request at least carries first identity authentication data;
before the first credential card security control device returns the card-searching response to the credential card reading device through the server, the method further includes: and the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to the first identity authentication data carried in the card searching request, and executes the step of returning the card searching response to the certificate card reading device through the server under the condition that the authentication is passed.
Scheme 3, the method according to scheme 1 or 2,
the card searching response at least carries second identity authentication data;
after the credential card reading device receives the card searching response sent by the first credential card security control device through the server, before sending the card searching confirmation data to the first credential card security control device through the server, the method further includes: and the certificate card reading device authenticates the identity of the first certificate card safety control equipment according to the second identity authentication data, and executes the step of sending the card searching confirmation data to the first certificate card safety control equipment through the server under the condition that the authentication is passed.
Scheme 4 the method according to any one of schemes 1 to 3,
the card selection request carries third identity authentication data;
after the first credential card security control device receives the card selection request and before a card selection request response is sent to the credential card reading device by the server, the method further comprises: and the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to third identity authentication data carried in the card selection request, and executes the step of sending a card selection request response to the certificate card reading device through the server under the condition that the authentication is passed.
Scheme 5 the method according to any one of schemes 1 to 4,
the card selection request response at least carries fourth identity authentication data;
after the credential card reading device receives the card selection request response sent by the first credential card security control device, before sending the card selection confirmation data to the first credential card security control device through the server, the method further includes: the certificate card reading device analyzes information carried in the card selection request response, acquires fourth identity authentication data carried in the card selection request response, authenticates the identity of the first certificate card safety control equipment according to the fourth identity authentication data, and executes the step of sending the card selection confirmation data to the first certificate card safety control equipment through the server under the condition that the authentication is passed.
Scheme 6 the method according to any one of schemes 1 to 5,
the card reading request at least carries fifth identity authentication data;
after the first credential card security control device receives the card reading request and before starting a process of reading credential card information, the method further includes: and the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to the fifth authentication data carried in the card reading request, and executes the step of starting the process of reading the certificate card information under the condition that the authentication is passed.
Scheme 7 the method according to any one of schemes 1 to 6,
before the first credential card security control device starts the process of reading credential card information, the method further includes: the certificate card reading device and the first certificate card safety control equipment negotiate through the server, and a session key is obtained by the certificate card reading device and the first certificate card safety control equipment;
after the certificate card reading device and the first certificate card safety control equipment obtain a session key, in the subsequent communication process of the certificate card reading device and the first certificate card safety control equipment, the certificate card reading device and the first certificate card safety control equipment respectively encrypt and decrypt sent and received data by using the session key.
Scheme 8, the method according to any one of schemes 1 to 7, where sending, by the server, the card search request to the first credential card security control device includes:
the server selects the first certificate card safety control equipment from a plurality of certificate card safety control equipment;
and the server sends the card searching request to the selected first certificate card safety control equipment.
Scheme 9, the method of scheme 8, where the selecting, by the server, the first credential card security control device from the plurality of credential card security control devices includes:
the server selects the first certificate card safety control equipment from a plurality of certificate card safety control equipment according to the pre-stored corresponding relation between the certificate card reading device and the certificate card safety control equipment; or
And the server selects the certificate card safety control equipment with the current working state being idle from the plurality of certificate card safety control equipment as the first certificate card safety control equipment.
Scheme 10, the method of any of schemes 1 to 9, after the terminal receives the credential card information, the method further comprising:
and the terminal displays and/or sends the certificate card information to a storage device for storage.
Scheme 11, a certificate card information acquisition device, includes:
the first transceiver module is used for receiving an operation request sent by a terminal;
the second transceiving module is used for periodically broadcasting a card searching instruction and receiving a response message returned by the certificate card;
the processing module is used for judging that the response message is card searching confirmation data aiming at the card searching instruction; if so, instructing the second transceiver module to stop broadcasting the card searching instruction, and instructing a third transceiver module to send a card searching request to the first certificate card security control device through a server;
the third transceiver module is configured to send the card searching request through the server, and receive the card searching response returned by the first credential card security control device through the server;
the processing module is further configured to obtain the card searching response data from the card searching response, determine that the card searching response data is response data in response to the card searching request, and instruct the third transceiver module to send the card searching confirmation data to the first credential card security control device through the server;
the second transceiver module is further configured to send a card selection instruction to the credential card and receive card selection confirmation data sent by the credential card, where the card selection confirmation data at least includes unique identification information of the credential card;
the third transceiver module is further configured to send a card selection request to the first credential card security control device through the server, and receive a card selection request response sent by the first credential card security control device through the server;
the processing module is further configured to determine that the card selection request response is response data for the card selection request, and instruct the third transceiver module to send the card selection confirmation data to the first credential card security control device through the server;
the second transceiver module is further configured to send a card reading instruction to the certificate card and receive card reading confirmation data returned by the certificate card;
the third transceiver module is further configured to send a card reading request to the first certificate card security control device through the server, and instruct the first certificate card security control device to start a process of reading certificate card information; receiving first interaction information sent by the first certificate card safety control device through the server in the certificate card information reading process, and sending second interaction information sent by the certificate card to the first certificate card safety control device through the server; receiving certificate card information read from the certificate card and sent by the first certificate card security control equipment through the server;
the second transceiver module is further configured to send the first interaction information received by the third transceiver module to a certificate card, and receive second interaction information sent by the certificate card;
the first transceiver module is further configured to send the certificate card information received by the third transceiver module to the terminal.
In the apparatus according to claim 12 and 11, the processing module is further configured to obtain first identity authentication data before the third transceiver module sends the card searching request, and carry the first identity authentication data in the card searching request.
Scheme 13, the apparatus according to scheme 11 or 12,
the card searching response at least carries second identity authentication data;
the processing module is further configured to authenticate the identity of the first certificate card security control device according to the second identity authentication data after the third transceiver module receives a card searching response sent by the first certificate card security control device through the server and before the card searching confirmation data is sent to the first certificate card security control device through the server, and trigger the third transceiver module to send the card searching confirmation data to the first certificate card security control device through the server under the condition that the authentication is passed.
In scheme 14, the apparatus according to any one of schemes 11 to 13, wherein the processing module is further configured to obtain third authentication data before the third transceiver module sends the card selection request, and carry the third authentication data in the card selection request.
Scheme 15 the apparatus according to any one of schemes 11 to 14,
the card selection request response at least carries fourth identity authentication data;
the processing module is further configured to, after the third transceiver module receives a card selection request response sent by the first certificate card security control device, analyze information carried in the card selection request response before sending the card selection confirmation data to the first certificate card security control device through the server, obtain fourth authentication data carried in the card selection request response, authenticate the identity of the first certificate card security control device according to the fourth authentication data, and trigger the third transceiver module to send the card selection confirmation data to the first certificate card security control device through the server when the authentication is passed.
In the aspect 16, the apparatus according to any one of the aspects 11 to 15, wherein the processing module is further configured to obtain fifth identity authentication data before the third transceiver module sends the card reading request, and carry the fifth identity authentication data in the card reading request.
Scheme 17 the apparatus according to any one of schemes 11 to 16,
the processing module is further configured to negotiate with the first certificate card security control device through the server to obtain a session key before the first certificate card security control device starts a procedure of reading certificate card information; and in the subsequent communication process with the first certificate card safety control equipment, the session key is used for encrypting and sending the data sent by the third transceiver module and decrypting the data received by the third transceiver module respectively.
Scheme 18, a certificate card information acquisition system, includes: the certificate card security control system comprises a terminal, a certificate card reading device, a server and first certificate card security control equipment; wherein,
the terminal is used for sending an operation request to the certificate card reading device;
the credential card reading device comprising the device of any one of claims 11 to 17;
the server is used for receiving a card searching request sent by the certificate card reading device and sending the card searching request to the first certificate card safety control equipment; forwarding information interacted between the certificate card reading device and the first certificate card safety control equipment;
the first certificate card security control device is used for:
receiving the card searching request, and sending a card searching response to the certificate card reading device through the server, wherein the card searching response carries card searching response data;
receiving card searching confirmation data sent by the certificate card reading device through the server;
receiving a card selection request sent by the certificate card reading device through the server, and sending a card selection request response to the certificate card reading device through the server;
receiving a card reading request sent by the certificate card reading device through the server, starting a process of reading certificate card information, and reading certificate card information stored in the certificate card through information interaction between the server and the certificate card reading device as well as the certificate card;
and sending the read information of the certificate card to the certificate card reading device through a server.
Scheme 19. the system according to scheme 18,
the card searching request at least carries first identity authentication data;
the first certificate card security control device is further configured to authenticate the identity of the certificate card reading device according to the first identity authentication data carried in the card searching request before the card searching response is returned to the certificate card reading device through the server, and execute an operation of returning the card searching response to the certificate card reading device through the server if the authentication is passed.
Scheme 20, the system according to scheme 18 or 19, and the first certificate card security control device are further configured to obtain second authentication data before sending the card searching response, and carry the second authentication data in the card searching response.
Scheme 21 the system of any one of schemes 18 to 20,
the card selection request carries third identity authentication data;
the first certificate card security control device is further configured to authenticate the identity of the certificate card reading device according to third identity authentication data carried in the card selection request after receiving the card selection request and before sending a card selection request response to the certificate card reading device through the server, and execute an operation of sending the card selection request response to the certificate card reading device through the server under the condition that the authentication is passed.
Scheme 22, the system according to any one of schemes 18 to 21, and the first credential card security control device are further configured to obtain fourth authentication data before sending the card selection request response, and carry the fourth authentication data in the card selection request response.
Scheme 23 the system according to any one of schemes 18 to 22,
the card reading request at least carries fifth identity authentication data;
the first certificate card security control device is further configured to authenticate the identity of the certificate card reading device according to the fifth authentication data carried in the card reading request after receiving the card reading request and before starting a process of reading certificate card information, and execute an operation of starting the process of reading certificate card information when the authentication is passed.
Scheme 24 the system of any one of schemes 18 to 23,
the certificate card reading device and the first certificate card safety control equipment are also used for negotiating through the server before the first certificate card safety control equipment starts a process of reading certificate card information, and a session key is obtained by the two parties; and after the certificate card reading device and the first certificate card safety control equipment obtain a session key, encrypting and decrypting the sent and received data respectively by using the session key in the subsequent communication process of the certificate card reading device and the first certificate card safety control equipment.
Scheme 25, the system according to any one of schemes 18 to 24, wherein the server sends the card-searching request to the first credential card security control device by:
selecting the first certificate card security control device from a plurality of certificate card security control devices;
and sending the card searching request to the selected first certificate card safety control equipment.
Scheme 26, the system of scheme 25, the server selecting the first credential card security control device from a plurality of credential card security control devices by:
selecting the first certificate card safety control equipment from a plurality of certificate card safety control equipment according to the pre-stored corresponding relation between the certificate card reading device and the certificate card safety control equipment; or
And selecting the certificate card safety control equipment with the current working state being idle from the plurality of certificate card safety control equipment as the first certificate card safety control equipment.
Scheme 27, the system according to any one of schemes 18 to 26, and the terminal, further configured to display and/or send the credential card information to a storage device for storage after receiving the credential card information.
The technical scheme provided by the invention shows that the certificate card reading device (which is equivalent to a reading module in the certificate card reading device in the prior art, only has an information interaction function, and does not have other functions such as certificate card safety control authentication of the existing certificate card reader) and the first certificate card safety control equipment (which is equivalent to the certificate card safety control module in the certificate card reading device in the prior art, and is used for carrying out certificate card safety control authentication on the certificate card) are separately arranged, the certificate card reading device and the first certificate card safety control equipment are communicated through the server, and the certificate card information is read, so that a plurality of certificate card reading devices can share one certificate card safety control equipment, the utilization rate of the certificate card safety control equipment is improved, and the cost is saved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a credential card information acquisition system according to embodiment 1 of the present invention;
fig. 2 is a schematic structural diagram of a credential card information acquisition device provided in embodiment 2 of the present invention;
fig. 3 is a signaling flowchart of a certificate card information obtaining method according to embodiment 3 of the present invention;
fig. 4 is a partial signaling flowchart of a method for acquiring information of a certificate card according to embodiment 3 of the present invention;
fig. 5 is a partial signaling flowchart of a method for acquiring information of a credential card according to embodiment 3 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
Example 1
The present embodiment provides a credential card information acquiring system, by which credential card information stored in a credential card can be acquired.
Fig. 1 is a schematic diagram of an architecture of a credential card information acquiring system provided in this embodiment, as shown in fig. 1, the system mainly includes: a terminal 10, a credential card reading device 20, a server 30 and a first credential card security control device 40.
In the embodiment, the terminal 10 is configured to send an operation request to the credential card reading device 20. An identification card reading device 20 for: receiving the operation request, periodically broadcasting the card-searching instruction, receiving a response message returned by the certificate card, and determining that the response message is card-searching confirmation data for the card-searching instruction, stopping broadcasting the card-searching instruction, and sending the card-searching request to the server 30. And the server 30 is used for receiving the card searching request and sending the card searching request to the first certificate card security control equipment 40. A first credential card security control device 40 for: and receiving the card searching request, and sending a card searching response to the credential card reading device 20 through the server 30, wherein the card searching response carries card searching response data. The credential card reading device 20, further configured to: receiving a card searching response sent by the first certificate card security control device 40, and acquiring card searching response data; determining that the card searching response data is response data responding to the card searching request, and sending the card searching confirmation data to the first certificate card security control device 40 through the server 30; sending a card selection instruction to the certificate card; receiving card selection confirmation data sent by the certificate card, wherein the card selection confirmation data at least comprises unique identification information of the certificate card; and then sends a card selection request to the first credential card security control device 40. The first certificate card security control device 40 is further configured to receive a card selection request; and sends a card selection request response to the credential card reader device 20 via the server 30. The credential card reading device 20 receives the card selection request response sent by the first credential card security control device 40. The credential card reading device 20 is also configured to: determining that the card selection request response is response data for the card selection request, and sending card selection confirmation data to the first credential card security control device 40 through the server 30; sending a card reading instruction to the certificate card, and receiving card reading confirmation data returned by the certificate card; and sends a card reading request to the server 30. The server 30 is also configured to send a card reading request to the first credential card security control device 40. The first credential card security control device 40 is further configured to: receiving a card reading request, starting a process of reading the information of the certificate card, and performing information interaction between the server 30 and the certificate card reading device 20 and the certificate card to read the information of the certificate card stored in the certificate card; and transmits the read credential card information to the credential card reading device 20 through the server 30. The credential card reading device 20 is also operative to receive and transmit credential card information to the terminal 10.
In the present embodiment, when the user needs to read the credential card information stored in the credential card, an operation request is sent to the credential card reading device 20 through the terminal 10, indicating that the credential card reading device 20 needs to read the credential card information stored in the credential card. For example, the user may input an operation instruction to the terminal 10 through a certain key in the terminal 10, and the terminal 10 transmits an operation request to the credential card reading device 20 in response to the operation instruction input by the user. In a specific implementation process, the terminal 10 and the credential card reading device 20 may be connected through a wired connection (e.g., a USB interface, a serial port, an earphone interface, etc.) or a wireless connection (e.g., WIFI, bluetooth, infrared, NFC, etc.).
In addition, the certificate card information stored in the certificate card is encrypted and transmitted, and due to the particularity of the certificate card, only the certificate card safety control equipment can decrypt the certificate card information stored in the certificate card. In a specific implementation process, the content that needs to be decrypted by the first credential card security control device 40 may be set in the card reading request, for example, the first credential card security control device 40 may be set to read only basic information (e.g., name, gender, year and month of birth, etc.) stored in the credential card, the first credential card security control device 40 may also be set to read basic information + photograph + fingerprint information, etc. stored in the credential card, and the setting may be specifically performed as needed. In a specific implementation process, the setting can be performed by the user at the terminal 10, after the setting is completed, the setting information is sent to the credential card reading device 20 through the operation request, and the credential card reading device 20 sends the setting information to the first credential card security control device 40 according to the setting of the user when sending the card reading request.
Through the above-mentioned system that this embodiment provided, with certificate card reading device 20 (be equivalent to the reading module in the certificate card reading device of prior art, it only has information interaction function, do not have other functions such as certificate card safety control authentication of current certificate card reader) and first certificate card safety control equipment 40 (be equivalent to certificate card safety control module in the certificate card reading device of prior art, be used for carrying out certificate card safety control authentication to the certificate card) separately set up, communicate through server 30, can a plurality of certificate card reading devices share certificate card safety control equipment, thereby improved certificate card safety control equipment's utilization ratio, the cost is practiced thrift.
The system provided by this embodiment can be applied to a banking system, where the terminal 10 can be the front end of a bank counter, and each business office can be provided with one server, or business offices in one region can share one server, and the certificate card security control device can also be provided with one or more certificate card security control devices per business office, or multiple business offices can share one or more certificate card security control devices.
In this embodiment, the server 30 may be distributed, centralized, or a virtual server, and the embodiment is not limited to this.
In order to enable the first credential card security control device 40 to determine that the card-seeking request is sent by the credential card reading device 20, and avoid an attack of the illegally simulated credential card reading device 20 on the first credential card security control device 40, in an optional implementation of the embodiment of the present invention, the card-seeking request sent by the credential card reading device carries at least first identity authentication data; the first credential card security control device 40 is further configured to authenticate the identity of the credential card reading device 20 according to the first identity authentication data carried in the card seeking request before the card seeking response is returned to the credential card reading device 20 through the server 30, and in a case that the authentication is passed, perform an operation of returning the card seeking response to the credential card reading device 20 through the server 30. In this optional embodiment, optionally, the first authentication data may be a signature value obtained by the credential card reading device 20 signing the information to be signed by using its own private key, where the information to be signed may be a random number generated by the credential card reading device 20, and the credential card reading device 20 may carry the random number and the signature value of the random number together in the card searching request and send the random number and the signature value; alternatively, the information to be signed may also be card searching request data carried in the card searching request, and the specific embodiment is not limited. The first credential card security control device 40 may authenticate the identity of the credential card reading device 20 through the first identity authentication data after receiving the card seeking request, and only return a card seeking response to the credential card reading device 20 after the authentication is passed. Of course, the first authentication data may be other data besides the signature value obtained by signing the information to be signed, for example, a check value obtained by performing check calculation on the information to be authenticated by using an algorithm agreed with the first certificate card security control device 40 in advance, and the specific embodiment is not limited thereto. The first identification card security control device 40 authenticates the first authentication data in a corresponding manner.
In order to enable the credential card reading device 20 to determine that the card seeking response is sent by the first credential card security control device 40, and to avoid the illegally emulated first credential card security control device 40 from illegally acquiring information stored in the credential card, in an optional implementation of the embodiment of the present invention, the first credential card security control device 40 is further configured to acquire the second authentication data before sending the card seeking response, and carry the second authentication data in the card seeking response. The certificate card reading device 20 is further configured to authenticate the identity of the first certificate card security control device 40 according to the second identity authentication data after receiving the card seeking response sent by the first certificate card security control device 40 through the server 30 and before sending the card seeking confirmation data to the first certificate card security control device 40 through the server 30, and in case of passing the authentication, perform an operation of sending the card seeking confirmation data to the first certificate card security control device 40 through the server 30. That is, in this alternative embodiment, the credential card reading device 20 sends the confirmation data returned by the credential card to the first credential card security control device 40 only if the identity of the first credential card security control device 40 is determined, thereby preventing the information stored in the credential card from being illegally acquired.
In the optional embodiment, optionally, the second identity authentication data may be a signature value obtained by the first credential card security control device 40 signing information to be signed by using its own private key, where the information to be signed may be a random number generated by the first credential card security control device 40, and the first credential card security control device 40 may carry the random number and the signature value of the random number together in a card-searching response and send the card-searching response to the first credential card security control device 40; alternatively, the information to be signed may also be card searching response data carried in the card searching response, and the specific embodiment is not limited. After receiving the card searching response, the credential card reading device 20 can authenticate the identity of the first credential card security control device 40 through the second identity authentication data, and after the authentication is passed, send the card searching confirmation data to the first credential card security control device 40. Of course, the second authentication data may be other data besides the signature value obtained by signing the information to be signed, for example, a check value obtained by checking and calculating the information to be signed by using an algorithm agreed with the credential card reading device 20 in advance, and the embodiment is not limited in this embodiment. The credential card reading device 20 authenticates the second authentication data in a corresponding manner.
Similarly, in order to enable the first credential card security control device 40 to determine that the card selection request is sent by the credential card reading device 20, and avoid an attack of the illegally simulated credential card reading device 20 on the first credential card security control device 40, in an optional implementation of the embodiment of the present invention, the card selection request sent by the credential card reading device 20 may further carry third identity authentication data; the first credential card security control device 40 is further configured to authenticate the identity of the credential card reading device 20 according to the third authentication data carried in the card selection request after receiving the card selection request and before sending a card selection request response to the credential card reading device 20 through the server 30, and in a case that the authentication is passed, perform an operation of sending the card selection request response to the credential card reading device 20 through the server 30. Similar to the first identity authentication data, the third identity authentication data may also be a signature value obtained by the certificate card reading device 20 signing the information to be signed by using its own private key, or may also be a check address obtained by performing check calculation on the data to be authenticated by using a predetermined algorithm agreed with the first certificate card security control device 40, which is not described in detail herein.
In addition, in order to enable the credential card reading device 20 to determine that the card selection request response is sent by the first credential card security control device 40, and avoid the illegally emulated first credential card security control device 40 from illegally acquiring information stored in the credential card, in an optional implementation of the embodiment of the present invention, the first credential card security control device 40 is further configured to acquire fourth authentication data before sending the card selection request response, and carry the fourth authentication data in the card selection request response; the certificate card reading device 20 is further configured to, after receiving the card selection request response sent by the first certificate card security control device 40 and before sending the card selection confirmation data to the first certificate card security control device 40 through the server 30, parse information carried in the card selection request response, obtain fourth authentication data carried in the card selection request response, authenticate the identity of the first certificate card security control device 40 according to the fourth authentication data, and execute an operation of sending the card selection confirmation data to the first certificate card security control device 40 through the server 30 if the authentication is passed. Similarly, the fourth authentication data may be a signature value obtained by the first credential card security control device 40 using its own private key to sign the information to be signed, or may also be a check address obtained by performing check calculation on the data to be authenticated by using a predetermined algorithm agreed with the credential card reading device 20, which is not described in detail herein.
Similarly, in order to enable the first credential card security control device 40 to determine that the card reading request is sent by the credential card reading device 20, and avoid an attack of the illegally simulated credential card reading device 20 on the first credential card security control device 40, in an optional implementation of the embodiment of the present invention, the card reading request sent by the credential card reading device 20 at least carries fifth identity authentication data; the first certificate card security control device 40 is further configured to authenticate the identity of the certificate card reading apparatus 20 according to fifth authentication data carried in the card reading request after receiving the card reading request and before starting the process of reading the certificate card information, and execute an operation of starting the process of reading the certificate card information if the authentication is passed.
In an optional implementation of the embodiment of the present invention, after the first credential card security control device 40 starts the procedure of reading credential card information, in the procedure of reading credential card information, mutual authentication between the first credential card security control device 40 and the credential card can be performed by the credential card reading device 20 and the server 30, the credential card allows the stored information to be read only after the first credential card security control device 40 passes the authentication, and the first credential card security control device 40 receives the information sent by the credential card only after the first credential card passes the authentication, and further processes the information sent by the credential card to obtain the credential card information that can be read. The specific authentication flow between the first credential card security control device 40 and the credential card can be referred to the description in embodiment 3, which is not described herein again.
In order to ensure the security of data transmission between the credential card reading device 20 and the first credential card security control device 40, in an optional implementation of the embodiment of the present invention, the credential card reading device 20 and the first credential card security control device 40 are further configured to perform negotiation through the server 30 before the first credential card security control device 40 starts a procedure of reading credential card information, and both sides obtain a session key; and after the credential card reading device 20 and the first credential card security control device 40 obtain the session key, the credential uses the session key to encrypt and decrypt the transmitted and received data, respectively, during subsequent communication between the credential card reading device 20 and the first credential card security control device 40. In a specific application, the credential card reading device 20 and the first credential card security control device 40 may perform the negotiation of the session key before the credential card reading device 20 sends the card seeking request, or may start performing the negotiation of the session key when the card seeking request is sent, or may start the negotiation of the session key after the credential card reading device 20 sends the card seeking request to the first credential card security control device 40, which is not limited in this embodiment. The session key negotiation process between the credential card reading device 20 and the first credential card security control device 40 can be referred to the description of embodiment 3, and will not be described in detail here.
In an optional implementation of the embodiment of the present invention, one server 30 may be connected to a plurality of credential card security control devices, and therefore, in this optional implementation, the server 30 is further configured to select the first credential card security control device 40 from the plurality of credential card security control devices before sending the card seeking request to the first credential card security control device 40.
In an alternative implementation of the embodiment of the present invention, the manner in which the server 30 selects the credential card security control device includes, but is not limited to, one of the following:
(1) selecting the certificate card safety control equipment corresponding to the certificate card reading device 20 from a pre-stored corresponding relationship, wherein one or more certificate card reading devices corresponding to each certificate card safety control equipment in a plurality of certificate card safety control equipment are recorded in the corresponding relationship;
for example, the server 30 is connected to a plurality of credential card security control devices, and can store the correspondence of each of the plurality of credential card security control devices with a plurality of credential card reading apparatuses. The correspondence may also be set according to a certain rule, for example, the correspondence may be divided according to a geographical area, and a plurality of credential card reading devices in the same area correspond to the same credential card security control device, or each credential card reading device may be assigned an ID and divided according to an ID number, and credential card reading devices having IDs in the same range correspond to the same credential card security control device, or may be divided according to addresses (for example, IP addresses) of the credential card reading devices in a network. With this alternative embodiment, a plurality of credential card reading devices can be mapped to one credential card security control device through the server 30, which improves the utilization rate and system manageability of the credential card security control device, and a failure can be quickly located if it occurs by mapping a plurality of credential card reading devices to one credential card security control device.
For example, in a banking system, a plurality of certificate card security control devices may be set at a business location, a correspondence may be set in a server, the front-end certificate card reading devices may be numbered, and then the certificate card security control devices corresponding to each certificate card reading device may be recorded in the correspondence. For the situation that a plurality of business places share a plurality of certificate card safety control devices, the server can set a corresponding relation to record that the certificate card reading device from each business place corresponds to the certificate card safety control device, or can carry out the distribution of the certificate card safety control device according to the IP address of the certificate card reading device at the front end.
(2) And selecting the certificate card safety control equipment with the current working state being idle from the plurality of certificate card safety control equipment as the first certificate card safety control equipment.
For example, the server 30 may record the operating state of each of the multiple credential card security control devices in the system, and when receiving a card searching request from the credential card reading apparatus 20, the server 30 may select, according to the operating state of each credential card security control device, a credential card security control device whose current operating state is idle as a credential card security control device corresponding to the credential card reading apparatus, and mark the operating state of the selected credential card security control device as non-idle. Through the optional implementation scheme, the situation that one certificate card safety control device receives information of a plurality of terminals at the same time to cause reduction of processing efficiency can be avoided.
In an optional implementation of the embodiment of the present invention, in order to quickly release the unused credential card security control device, the server 30 may further mark the operating state of the selected credential card security control device as idle after the credential card reading device finishes communicating with the selected credential card security control device. Of course, in the specific implementation process, if all the credential card security control devices are in the non-idle state, the credential card security control devices can be selected according to the load states of the credential card security control devices to achieve load balancing.
For example, in a banking system, a plurality of credential card security control devices may be installed at one or more business locations or the whole network, an idle credential card security control device pool may be installed in the server, the server may take out one credential card security control device from the idle credential card security control device pool when receiving a request sent from a front-end credential card reader, allocate the credential card security control device to a current credential card reader, process a request related to the current credential card reader by the credential card security control device, remove the credential card security control device from the idle credential card security control device pool, and place the credential card security control device in the idle credential card security control device pool after use.
Through the optional embodiment, the server can select a proper certificate card security control device for the certificate card reading device 20 according to specific applications, so that the utilization rate of the certificate card security control device can be improved, and meanwhile, the data processing efficiency can be improved.
In an alternative implementation of the embodiment of the present invention, as shown in fig. 1, the system may further include: a storage device 50. Then in this alternative embodiment, the credential card reading device 20, upon receiving the credential card information, is also configured to send the credential card information to the storage device 50; the storage device 50 is also used to store received credential card information. Through the optional implementation mode, when the information of the certificate card needs to be presented subsequently, the information can be directly acquired from the storage device 50, so that the problem that the user carries the certificate card with him and brings inconvenience to the user is solved.
In particular implementations, the memory device 50 may be disposed in the terminal 10 as part of the credential card reading device 20 or may be disposed external to the credential card reading device 20. The storage device may be a single storage device, or may be a device integrated with other functions, for example, an electronic signature device (e.g., a U shield of a working bank, a K bank of a farming bank, etc.). In addition, the identification card information may be stored in the storage device 50 in a plaintext form or may be stored in the storage device 50 in an encrypted form, and the embodiment is not limited to this.
In an alternative implementation of the embodiments of the present invention, the system may also display a device 60, as shown in FIG. 1. In this alternative embodiment, the credential card reading device 20 is also used to send credential card information to the display device 60; and the display device 60 is used for displaying the certificate card information. Through the optional implementation mode, the read certificate card information can be displayed, so that a user can know the certificate card information stored in the certificate card.
In a specific implementation process, the display device 60 may be disposed in the terminal 10 as a part of the terminal 10, or may be disposed independently from the terminal 10, and the specific embodiment is not limited thereto.
In another optional implementation of the embodiment of the present invention, the terminal 10 may also send the received credential card information to an external storage device for storage, and therefore, in this optional implementation, the terminal 10 is further configured to send the credential card information to the storage device 50 after receiving the credential card information; the storage device 50 is also used to store received credential card information. Through the optional implementation mode, when the information of the certificate card needs to be presented subsequently, the information can be directly acquired from the storage device 50, so that the problem that the user carries the certificate card with him and brings inconvenience to the user is solved. In this alternative embodiment, the storage device 50 may be a single storage device, or may be a device integrated with other functions, for example, an electronic signature device (e.g., a U shield of a working department, a K treasure of a farming department, etc.). In addition, the identification card information may be stored in the storage device 50 in a plaintext form or may be stored in the storage device 50 in an encrypted form, and the embodiment is not limited to this.
In another optional implementation of the embodiment of the present invention, after the terminal 10 receives the credential card information, if the terminal 10 has a display module, the received credential card information may be displayed through the display module, and if the terminal 10 does not have the display module, the terminal 10 may transmit the credential card information to an external display device for storage. Thus, in this alternative embodiment, the terminal 10 is also used to send credential card information to the display device 60; and the display device 60 is used for displaying the certificate card information. Through the optional implementation mode, the read certificate card information can be displayed, so that a user can know the certificate card information stored in the certificate card.
Example 2
The present embodiment provides a credential card information acquisition device that can be provided in the credential card reading device 20 of embodiment 1 described above, for acquiring credential card information stored in a credential card.
Fig. 2 is a schematic structural diagram of the credential card information obtaining apparatus provided in this embodiment, and as shown in fig. 2, the apparatus mainly includes: a first transceiver module 200, a second transceiver module 202, a third transceiver module 204 and a processing module 206. The first transceiver module 200 is configured to receive an operation request sent by a terminal; the second transceiver module 202 is configured to periodically broadcast a card-searching instruction and receive a response message returned by the certificate card; the processing module 206 is configured to determine that the response message is card searching confirmation data for the card searching instruction; if so, instructing the second transceiver module 202 to stop broadcasting the card searching instruction, and instructing the third transceiver module 204 to send a card searching request to the first certificate card security control device through the server; the third transceiving module 204 is configured to send a card searching request through the server, and receive a card searching response returned by the first credential card security control device through the server; the processing module 206 is further configured to obtain card searching response data from the card searching response, determine that the card searching response data is response data in response to the card searching request, and instruct the third transceiver module 204 to send card searching confirmation data to the first credential card security control device through the server; the second transceiver module 202 is further configured to send a card selection instruction to the credential card, and receive card selection confirmation data sent by the credential card, where the card selection confirmation data at least includes unique identification information of the credential card; the third transceiving module 204 is further configured to send a card selection request to the first credential card security control device through the server, and receive a card selection request response sent by the first credential card security control device through the server; the processing module 206 is further configured to determine that the card selection request response is response data for the card selection request, and instruct the third transceiver module 204 to send card selection confirmation data to the first credential card security control device through the server; the second transceiver module 202 is further configured to send a card reading instruction to the certificate card and receive card reading confirmation data returned by the certificate card; the third transceiving module 204 is further configured to send a card reading request to the first credential card security control device through the server, and instruct the first credential card security control device to start a process of reading credential card information; receiving first interactive information sent by first certificate card safety control equipment through a server in the process of reading certificate card information, and sending second interactive information sent by the certificate card to the first certificate card safety control equipment through the server; receiving certificate card information read from the certificate card and sent by the first certificate card security control equipment through the server; the second transceiver module 202 is further configured to send the first interaction information received by the third transceiver module 204 to the certificate card, and receive second interaction information sent by the certificate card; the first transceiver module 200 is further configured to send the credential card information received by the third transceiver module 204 to the terminal.
In order to enable the first credential card security control device 40 to determine that the card seeking request is sent by the credential card information obtaining apparatus, and avoid an attack on the first credential card security control device 40 by an illegally simulated credential card information obtaining apparatus, in an optional implementation of the embodiment of the present invention, the processing module 206 is further configured to obtain the first authentication data before the third transceiver module 204 sends the card seeking request, and carry the first authentication data in the card seeking request. In this optional implementation manner, optionally, the first identity authentication data may be a signature value obtained by the certificate card information obtaining device signing the information to be signed by using its own private key, where the information to be signed may be a random number generated by the certificate card information obtaining device, and the certificate card information obtaining device may carry the random number and the signature value of the random number together in the card searching request and send the random number and the signature value; alternatively, the information to be signed may also be card searching request data carried in the card searching request, and the specific embodiment is not limited. After receiving the card searching request, the first credential card security control device 40 may authenticate the identity of the credential card information acquisition device through the first identity authentication data, and only after the authentication is passed, a card searching response is returned to the credential card information acquisition device. Of course, the first authentication data may be other data besides the signature value obtained by signing the information to be signed, for example, a check value obtained by performing check calculation on the information to be authenticated by using an algorithm agreed with the first certificate card security control device 40 in advance, and the specific embodiment is not limited thereto.
In order to enable the credential card information obtaining apparatus to determine that the card seeking response is sent by the first credential card security control device 40, and avoid that the illegally simulated first credential card security control device 40 illegally obtains information stored in the credential card, in an optional implementation of the embodiment of the present invention, the card seeking response at least carries second identity authentication data; the processing module 206 is further configured to authenticate the identity of the first certificate card security control device according to the second identity authentication data after the third transceiver module 204 receives the card searching response sent by the first certificate card security control device through the server and before the card searching confirmation data is sent to the first certificate card security control device through the server, and trigger the third transceiver module 204 to send the card searching confirmation data to the first certificate card security control device through the server under the condition that the authentication is passed. That is, in this alternative embodiment, the processing module 206 triggers the third transceiving module 204 to send the confirmation data returned by the credential card to the first credential card security control device 40 only when the identity of the first credential card security control device 40 is determined, so that the information stored in the credential card is prevented from being illegally acquired.
In the optional embodiment, optionally, the second identity authentication data may be a signature value obtained by the first credential card security control device 40 signing information to be signed by using its own private key, where the information to be signed may be a random number generated by the first credential card security control device 40, and the first credential card security control device 40 may carry the random number and the signature value of the random number together in a card-searching response and send the card-searching response to the first credential card security control device 40; alternatively, the information to be signed may also be card searching response data carried in the card searching response, and the specific embodiment is not limited. After receiving the card searching response, the credential card information obtaining device 20 may authenticate the identity of the first credential card security control device 40 through the second identity authentication data, and after the authentication is passed, send the card searching confirmation data to the first credential card security control device 40. Of course, the second identity authentication data may be other data besides the signature value obtained by signing the information to be signed, for example, a check value obtained by checking and calculating the information to be authenticated by using an algorithm agreed with the certificate card information acquisition device in advance, and the specific embodiment is not limited in this embodiment.
Similarly, in order to enable the first credential card security control device 40 to determine that the card selection request is sent by the credential card information obtaining device, so as to avoid an attack on the first credential card security control device 40 by an illegally simulated credential card information obtaining device, in an optional implementation of the embodiment of the present invention, the processing module 206 is further configured to obtain third authentication data before the third transceiving module 204 sends the card selection request, and carry the third authentication data in the card selection request. Similar to the first identity authentication data, the third identity authentication data may also be a signature value obtained by the certificate card information acquisition device signing the information to be signed by using its own private key, or may also be a check value obtained by checking and calculating the data to be authenticated by using a predetermined algorithm agreed with the first certificate card security control device 40, which is not described in detail herein.
In addition, in order to enable the credential card information obtaining apparatus to determine that the card selection request response is sent by the first credential card security control device 40, and avoid that the illegally simulated first credential card security control device 40 illegally obtains information stored in the credential card, in an optional implementation of the embodiment of the present invention, the card selection request response at least carries fourth identity authentication data; the processing module 206 is further configured to, after the third transceiver module 204 receives the card selection request response sent by the first credential card security control device, analyze information carried in the card selection request response before sending the card selection confirmation data to the first credential card security control device through the server, obtain fourth identity authentication data carried in the card selection request response, authenticate the identity of the first credential card security control device according to the fourth identity authentication data, and trigger the third transceiver module 204 to send the card selection confirmation data to the first credential card security control device through the server when the authentication is passed. Similarly, the fourth authentication data may be a signature value obtained by the first certificate card security control device 40 signing the information to be signed by using its own private key, or may also be a check address obtained by performing check calculation on the data to be authenticated by using a predetermined algorithm agreed with the certificate card information acquisition device, which is not described in detail herein.
Similarly, in order to enable the first credential card security control device 40 to determine that the card reading request is sent by the credential card information obtaining apparatus, so as to avoid an attack of an illegally simulated credential card information obtaining apparatus on the first credential card security control device 40, in an optional implementation of the embodiment of the present invention, the processing module 206 is further configured to obtain fifth authentication data before the third transceiving module 204 sends the card reading request, and carry the fifth authentication data in the card reading request.
In order to ensure the security of data transmission with the first credential card security control device 40, in an optional implementation of the embodiment of the present invention, the processing module 206 is further configured to negotiate with the first credential card security control device through the server before the first credential card security control device starts a procedure of reading credential card information, so as to obtain a session key; and in the subsequent communication process with the first certificate card security control device, the session key is used for encrypting and sending the data sent by the third transceiver module 204 and decrypting the data received by the third transceiver module 204 respectively. In a specific application, the session key negotiation with the first certificate card security control device 40 may be performed before the third transceiver module 204 sends the card search request, or the session key negotiation may be started when the card search request is sent, or the session key negotiation may be started after the card search request is sent to the first certificate card security control device 40, which is not limited in this embodiment. The session key negotiation process with the first credential card security control device 40 can be referred to the description of embodiment 3, and will not be described in detail here.
Example 3
This embodiment provides a method for acquiring information of a certificate card, which can be implemented by the system or apparatus provided in embodiments 1 to 2.
Fig. 3 is a schematic flowchart of a method for acquiring information of a credential card according to this embodiment, and as shown in fig. 3, the method mainly includes the following steps S301 to S320.
Step S301, the terminal sends an operation request to the certificate card reading device.
In the specific implementation process, the terminal and the certificate card reading device can be connected through a wired connection (for example, a USB interface, a serial port, an audio interface, and the like) or a wireless connection (for example, WIFI, bluetooth, infrared, NFC, and the like).
In this embodiment, when the user needs to read the credential card information stored in the credential card, the user sends an operation request to the credential card reading device through the terminal to indicate that the credential card reading device needs to read the credential card information stored in the credential card. For example, a user can input an operation instruction to the terminal through a certain key in the terminal, and the terminal responds to the operation instruction input by the user and sends an operation request to the certificate card reading device.
In addition, the certificate card information stored in the certificate card is stored in an encrypted manner, and due to the particularity of the certificate card, only the certificate card safety control equipment can decrypt the certificate card information stored in the certificate card. In a specific implementation process, the content that needs to be decrypted by the first credential card security control device may be set in the card reading request, for example, the first credential card security control device may be set to only read basic information (e.g., name, gender, birth year and month, etc.) stored in the credential card, the first credential card security control device may also be set to read basic information + photograph + fingerprint information, etc. stored in the credential card, and the setting may be specifically performed as needed. In a specific implementation process, the setting can be performed by a user at a terminal, after the setting is completed, the setting is sent to the certificate card reading device through an operation request, and the certificate card reading device sends the setting information to the first certificate card safety control device according to the setting of the user in a card reading process.
Step S302, the certificate card reading device receives the operation request and broadcasts the card searching command periodically.
In a specific implementation process, the identification card reading device can periodically broadcast a card searching instruction through a Radio Frequency (RF) antenna of the identification card reading device, and if the identification card exists in a readable range of the identification card reading device, the identification card can receive the card searching instruction and respond to the card searching instruction.
Step S303, the credential card reading device receives a response message returned by the credential card, and determines that the response message is the card-searching confirmation data for the card-searching instruction.
In this embodiment, the credential card reading device sends a card-searching command to the outside at intervals of time through its RF module, and after receiving the card-searching command, the credential card returns a response message carrying card-searching confirmation data to the credential card reading device, and after determining that the card-searching confirmation data sent by the credential card is received, the credential card reading device executes step S304.
And step S304, the certificate card reading device stops broadcasting the card searching command and sends a card searching request to the server.
In this embodiment, the card search request may carry card search request data, so that the credential card security control device can know the type of the received card search request.
In this embodiment, the servers may be distributed, centralized, or virtual servers, and the embodiment is not limited to this. In addition, the server and the first certificate card security control device may be connected through a wired connection or a wireless connection, and this embodiment is not limited in this embodiment.
Step S305, the server receives the card searching request and sends the card searching request to the first certificate card safety control equipment.
In a specific application, the credential card security control device connected to the server may be one (i.e., the first credential card security control device) or multiple, and in the case of multiple credential card security control devices, the server selects one credential card security control device (i.e., the first credential card security control device) for the credential card reading apparatus before sending the card searching request.
In an alternative implementation of the embodiment of the present invention, the manner in which the server selects the credential card security control device includes, but is not limited to, one of the following:
(1) selecting certificate card safety control equipment corresponding to the certificate card reading device from a pre-stored corresponding relationship, wherein one or more certificate card reading devices corresponding to each certificate card safety control equipment in a plurality of certificate card safety control equipment are recorded in the corresponding relationship;
for example, the server is connected to a plurality of credential card security control devices, and can store a correspondence relationship of each of the plurality of credential card security control devices to a plurality of credential card reading apparatuses. The correspondence may also be set according to a certain rule, for example, the correspondence may be divided according to a geographical area, and a plurality of credential card reading devices in the same area correspond to the same credential card security control device, or each credential card reading device may be assigned an ID and divided according to an ID number, and credential card reading devices having IDs in the same range correspond to the same credential card security control device, or may be divided according to addresses (for example, IP addresses) of the credential card reading devices in a network. Through this optional implementation scheme, can be through the server, with a plurality of certificate card reading device to a certificate card safety control equipment, improved certificate card safety control equipment's utilization ratio and system manageability to, through with a plurality of certificate card reading device to a certificate card safety control equipment, also can fix a position the trouble rapidly if breaking down.
For example, in a banking system, a plurality of certificate card security control devices may be set at a business location, a correspondence may be set in a server, the front-end certificate card reading devices may be numbered, and then the certificate card security control devices corresponding to each certificate card reading device may be recorded in the correspondence. For the situation that a plurality of business places share a plurality of certificate card safety control devices, the server can set a corresponding relation to record that the certificate card reading device from each business place corresponds to the certificate card safety control device, or can carry out the distribution of the certificate card safety control device according to the IP address of the certificate card reading device at the front end.
(2) And selecting the certificate card safety control equipment with the current working state being idle from the plurality of certificate card safety control equipment as the first certificate card safety control equipment.
For example, the server may record the working state of each of the multiple credential card security control devices in the system, and when receiving a card search request from the credential card reading apparatus, the server may select, according to the working state of each credential card security control device, a credential card security control device whose current working state is idle as a credential card security control device (i.e., a first credential card security control device) corresponding to the credential card reading apparatus, and mark the working state of the selected credential card security control device as non-idle. Through the optional implementation scheme, the situation that one certificate card safety control device receives information of a plurality of terminals at the same time to cause reduction of processing efficiency can be avoided.
In an optional implementation of the embodiment of the present invention, in order to quickly release the unused credential card security control device, the server may further mark the operating state of the selected credential card security control device as idle after the credential card reading device finishes communication with the selected credential card security control device. Of course, in the specific implementation process, if all the credential card security control devices are in the non-idle state, the credential card security control devices can be selected according to the load states of the credential card security control devices to achieve load balancing.
For example, in a banking system, a plurality of certificate card security control devices may be installed at one or more business locations or the whole network, an idle certificate card security control device pool is installed in a server, the server, upon receiving a card-seeking request from a front certificate card reading device, takes out one certificate card security control device from the idle certificate card security control device pool, allocates the certificate card security control device to a current certificate card reading device, processes a request related to the current certificate card reading device by the certificate card security control device, and moves out the certificate card security control device from the idle certificate card security control device pool, and after the certificate card security control device is used up, puts the certificate card security control device into the idle certificate card security control device pool.
Through the optional implementation mode, the server can select the proper certificate card safety control equipment for the certificate card reading device according to specific application, so that the utilization rate of the certificate card safety control equipment can be improved, and meanwhile, the data processing efficiency is improved.
And step S306, the first certificate card security control equipment receives the card searching request and sends a card searching response to the certificate card reading device through the server, wherein the card searching response carries card searching response data.
In order to enable the first certificate card security control device to determine that the card searching request is sent by the certificate card reading device and avoid the illegal simulated certificate card information acquisition device from attacking the first certificate card security control device, in an optional implementation scheme of the embodiment of the invention, the card searching request sent by the certificate card reading device at least carries first identity authentication data; before the first credential card security control device returns a card-seeking response to the credential card reading device through the server, the method may further include: and the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to the first identity authentication data carried in the card searching request, and executes a step of returning a card searching response to the certificate card reading device through the server under the condition that the authentication is passed.
In this optional implementation manner, optionally, the first identity authentication data may be a signature value obtained by the certificate card reading device signing the information to be signed by using its own private key, where the information to be signed may be a random number generated by the certificate card reading device, and the certificate card reading device may carry the random number and the signature value of the random number together in the card searching request and send the random number and the signature value; alternatively, the information to be signed may also be card searching request data carried in the card searching request, and the specific embodiment is not limited. After receiving the card searching request, the first certificate card security control device can authenticate the identity of the certificate card reading device through the first identity authentication data, and only after the authentication is passed, the first certificate card security control device returns a card searching response to the certificate card reading device. Of course, the first authentication data may be a signature value obtained by signing the information to be signed, and may also be other data, for example, a check value obtained by checking and calculating the information to be authenticated by using an algorithm agreed with the first credential card security control device in advance, and the like, and the specific embodiment is not limited thereto. And the first certificate card safety control equipment authenticates the first identity authentication data in a corresponding mode.
Step S307, the credential card reading device receives the card searching response sent by the first credential card security control device, and obtains card searching response data.
And step S308, the certificate card reading device determines that the card searching response data is response data responding to the card searching request, and sends the card searching confirmation data to the first certificate card safety control equipment through the server.
In order to enable the credential card reading apparatus to determine that the card seeking response is sent by the first credential card security control device, and avoid that the illegally simulated first credential card security control device illegally acquires information stored in the credential card, in an optional implementation of the embodiment of the present invention, the first credential card security control device acquires the second identity authentication data before sending the card seeking response, and carries the second identity authentication data in the card seeking response. And after receiving the card searching response sent by the first certificate card safety control equipment through the server, the certificate card reading device authenticates the identity of the first certificate card safety control equipment according to the second identity authentication data before sending the card searching confirmation data to the first certificate card safety control equipment through the server, and executes the operation of sending the card searching confirmation data to the first certificate card safety control equipment through the server under the condition of passing the authentication. That is, in this optional embodiment, the credential card reading apparatus only sends the confirmation data returned by the credential card to the first credential card security control device if the identity of the first credential card security control device is determined, thereby preventing the information stored in the credential card from being illegally acquired.
In the optional embodiment, optionally, the second identity authentication data may be a signature value obtained by the first credential card security control device signing the information to be signed by using its own private key, where the information to be signed may be a random number generated by the first credential card security control device, and the first credential card security control device may carry the random number and the signature value of the random number together in a card-searching response and send the card-searching response to the first credential card security control device; alternatively, the information to be signed may also be card searching response data carried in the card searching response, and the specific embodiment is not limited. After receiving the card searching response, the certificate card reading device can authenticate the identity of the first certificate card safety control equipment through the second identity authentication data, and after the authentication is passed, the certificate card reading device sends card searching confirmation data to the first certificate card safety control equipment. Of course, the second identity authentication data may be other data besides the signature value obtained by signing the information to be signed, for example, a check value obtained by checking and calculating the information to be authenticated by using an algorithm agreed with the certificate card reading device in advance, and the specific embodiment is not limited in this embodiment. And the certificate card reading device authenticates the second identity authentication data in a corresponding mode.
Step S309, the certificate card reading device sends a card selection instruction to the certificate card.
Step S310, the certificate card reading device receives card selection confirmation data sent by the certificate card, wherein the card selection confirmation data at least comprises unique identification information of the certificate card;
step S311, the certificate card reading device sends a card selection request to the first certificate card security control equipment through the server;
step S312, the first certificate card safety control equipment receives the card selection request and sends a card selection request response to the certificate card reading device through the server;
in order to enable the first certificate card security control device to determine that the card selection request is sent by the certificate card reading device and avoid the illegal simulated certificate card reading device from attacking the first certificate card security control device, in an optional implementation scheme of the embodiment of the present invention, the card selection request sent by the certificate card reading device may further carry third identity authentication data; the first certificate card security control equipment is also used for authenticating the identity of the certificate card reading device according to third identity authentication data carried in the card selection request after receiving the card selection request and before sending the card selection request response to the certificate card reading device through the server, and executing the operation of sending the card selection request response to the certificate card reading device through the server under the condition that the authentication is passed. Similar to the first identity authentication data, the third identity authentication data may also be a signature value obtained by the certificate card reading device signing the information to be signed by using a private key of the certificate card reading device, or may also be an inspection address obtained by performing inspection calculation on the data to be authenticated by using a predetermined algorithm agreed with the first certificate card security control device, and details are not repeated.
Step S313, the certificate card reading device receives a card selection request response sent by the first certificate card security control equipment, determines the card selection request response as response data aiming at the card selection request, and sends card selection confirmation data to the first certificate card security control equipment through the server;
in order to enable the credential card reading apparatus to determine that the card selection request response is sent by the first credential card security control device, and to avoid that the illegally simulated first credential card security control device illegally acquires information stored in the credential card, in an optional implementation of the embodiment of the present invention, the first credential card security control device further acquires fourth authentication data before sending the card selection request response, and carries the fourth authentication data in the card selection request response; after receiving the card selection request response sent by the first certificate card security control equipment, the certificate card reading device analyzes information carried in the card selection request response before sending the card selection confirmation data to the first certificate card security control equipment through the server, obtains fourth identity authentication data carried in the card selection request response, authenticates the identity of the first certificate card security control equipment according to the fourth identity authentication data, and executes the operation of sending the card selection confirmation data to the first certificate card security control equipment through the server under the condition that the authentication is passed. Similarly, similar to the second identity authentication data, the fourth identity authentication data may be a signature value obtained by the first certificate card security control device signing the information to be signed by using its own private key, or may also be a check address obtained by performing check calculation on the data to be authenticated by using a predetermined algorithm agreed with the certificate card reading device, and details are not repeated.
Step S314, the certificate card reading device sends a card reading instruction to the certificate card;
step S315, the certificate card reading device receives the card reading confirmation data returned by the certificate card;
step S316, the certificate card reading device receives the operation request and sends a card reading request to the server;
step S317, the server sends the card reading request to the first certificate card safety control equipment;
step S318, the first certificate card safety control equipment receives the card reading request, starts a process of reading certificate card information, and reads the certificate card information stored in the certificate card through information interaction between the server and the certificate card reading device and the certificate card;
in order to enable the first certificate card security control device to determine that the card reading request is sent by the certificate card reading device and avoid the illegal simulated certificate card reading device from attacking the first certificate card security control device, in an optional implementation scheme of the embodiment of the invention, the card reading request sent by the certificate card reading device at least carries fifth identity authentication data; after receiving the card reading request and before starting the process of reading the information of the certificate card, the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to fifth authentication data carried in the card reading request, and executes the operation of starting the process of reading the information of the certificate card under the condition that the authentication is passed.
In the above-described flow of the present embodiment, a step before the first credential card security control device 40 starts a flow of reading credential card information may be referred to as a card reading preparation flow.
In an optional implementation of the embodiment of the present invention, after the first credential card security control device starts the procedure of reading credential card information, in the procedure of reading credential card information, mutual authentication may be performed between the first credential card security control device and the credential card through the credential card reading device and the server, the credential card allows the stored information to be read only after the first credential card security control device passes the authentication, and the first credential card security control device receives the information sent by the credential card only after the first credential card passes the authentication, and further processes the information sent by the credential card to obtain readable credential card information.
In an optional implementation of the embodiment of the present invention, if the card reading request includes content that is specified to be read, the first credential card security control device reads basic information (e.g., name, gender, month of birth, etc.) stored in the credential card or reads basic information + photo stored in the credential card according to the indication. If the content needing to be read is not specified in the card reading request, the first certificate card security control device reads default certificate card information, such as basic information stored in the certificate card.
Step S319, the first certificate card safety control equipment sends the read certificate card information to a certificate card reading device through a server;
in a specific application, the first certificate card security control device obtains the plaintext of the certificate card information stored in the certificate card through a card reading process, in an optional implementation manner of this embodiment, the first certificate card security control device may directly send the read plaintext of the certificate card information to the certificate card reading device, or the first certificate card security control device may encrypt the read plaintext by negotiating a session key with the certificate card reading device, send the encrypted certificate card information to the certificate card reading device, and decrypt the encrypted certificate card information by the certificate card reading device to obtain the plaintext of the certificate card information.
And step S320, the certificate card reading device receives and sends the certificate card information to the terminal.
By the method provided by the embodiment, the certificate card reading device only performs information interaction with the certificate card, the remote certificate card safety control equipment executes the functions of certificate card safety control authentication and the like, and a plurality of certificate card reading devices can share one certificate card safety control equipment, so that the utilization rate of the certificate card safety control equipment is improved, and the cost is saved.
Optionally, after receiving the information of the certificate card, the terminal may send the information of the certificate card to the display device for displaying, so that a user may read the information of the certificate card conveniently.
Optionally, the terminal may also send the credential card information to a storage device (e.g., an electronic signature device) for storage. Therefore, in subsequent use, a user does not need to carry the certificate card, and the problem that the inconvenience is brought to the user due to the fact that the user carries the certificate card is avoided.
In order to ensure the security of data transmission between the certificate card reading device and the first certificate card security control device, in an optional implementation of the embodiment of the present invention, before the first certificate card security control device 40 starts the process of reading the certificate card information, the certificate card reading device and the first certificate card security control device negotiate through the server, and both sides obtain the session key; after the certificate card reading device and the first certificate card security control device obtain the session key, in the subsequent communication process of the certificate card reading device and the first certificate card security control device, the two parties respectively encrypt and decrypt the sent and received data by using the session key. In a specific application, the credential card reading device and the first credential card security control device may perform negotiation of the session key before the credential card reading device sends the card search request, or start performing negotiation of the session key when the card search request is sent, or start negotiation of the session key after the credential card reading device sends the card search request to the first credential card security control device, which is not limited in this embodiment.
Fig. 4 is a schematic diagram of an embodiment of an optional card reading preparation process according to the present embodiment, and as shown in fig. 4, in the optional embodiment, the card reading preparation process mainly includes the following steps (a1-a 9):
step a 1: the certificate card reading device sends a card searching instruction to the certificate card;
step a 2: the certificate card receives the card searching command and sends card searching confirmation data to the certificate card reading device;
step a 3: the certificate card reading device encrypts the card searching request data by using the authentication encryption key to obtain a card searching request data ciphertext D1, and signs the card searching request data ciphertext by using a first private key of the certificate card reading device to obtain a card searching request signature value SD 1;
step a 4: the certificate card reading device sends a card searching request to the first certificate card security control device through the server, wherein the card searching request comprises a card searching request data ciphertext D1, a card searching request signature value SD1, a first certificate of the certificate card reading device and a second certificate of the certificate card reading device;
in this embodiment, the credential card reading device sends a card-searching command to the outside at intervals of time through the RF module, and after receiving the card-searching command, the credential card sends card-searching confirmation data to the credential card reading device, and after receiving the card-searching confirmation data sent by the credential card, the credential card reading device sends a card-searching request to the first credential card security control device.
In this embodiment, the card-seeking request includes a data cipher text of the card-seeking request, a signature value of the card-seeking request, a first certificate of the certificate card reading device, and a second certificate of the certificate card reading device. And after receiving the card searching confirmation data sent by the certificate card, the certificate card reading device encrypts the card searching request data by using the authentication encryption key to generate the card searching request data ciphertext. The card searching request data is encrypted by the authentication encryption key and then transmitted to the first certificate card security control equipment, so that the security of the card searching request data in network transmission can be ensured.
In this embodiment, the first certificate of the certificate card reading device at least includes the first public key of the certificate card reading device, and the second certificate of the certificate card reading device also at least includes the second public key of the certificate card reading device. The first public key in the first certificate of the credential card reading device may be the same as or different from the second public key in the second certificate, which is not limited in this embodiment. The second public key of the credential card reading device used in this step and the second private key of the credential card reading device used in step a8 are a pair of asymmetric key pairs, which are used for performing encryption and decryption operations on the session key in steps a6 and a8, respectively.
As an optional implementation manner of this embodiment, the card-seeking request data in step a3 further includes a time stamp and/or single authentication data, and the card-seeking request further includes an identifier of the credential card reading device. Wherein the single authentication mark comprises a count value and/or a random factor generated by a counter in the certificate card reading device. When the single authentication identifier is a count value generated by the counter, the counter generates a count value for counting the sent first data packet each time the credential card reading device performs credential card information reading operation, for example, when the credential card reading device reads the credential card a, the counter generates a count value 1, and when the credential card B is read next time, the counter generates a count value 2, and so on, although the specific count value form is not limited thereto; when the single authentication identifier is a random factor, the random factor may be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random characters; the identification of the credential card reading device may be a serial number of the credential card reading device, and of course, the identification of the credential card reading device is not limited to the serial number of the credential card reading device as long as the identification can uniquely represent the credential card reading device.
As an optional implementation manner of this embodiment, when the card searching request is sent to the server, the server may determine whether a flag of the certificate card reading device in the card searching request is in a blacklist, and if the flag is in the blacklist, the certificate card reading process is ended; otherwise, the server selects which certificate card safety control equipment to send the card searching request to process according to the processing capacity of each certificate card safety control equipment, and then the server sends the card searching request to the selected first certificate card safety control equipment. The server carries out shunting processing on the first data packet, so that single-point failure can be prevented.
As an optional implementation manner of this embodiment, after receiving the card-searching request and determining that the identifier of the certificate card reading device is not in the blacklist, the server verifies the received first certificate of the certificate card reading device and the second certificate of the certificate card reading device by using the root certificate, after the verification is passed, the server may perform signature verification on the card-searching request signature value by using the first certificate of the certificate card reading device, and after the signature verification is passed on the card-searching request signature value, send the card-searching request data ciphertext in the card-searching request and the second certificate of the certificate card reading device to the first certificate card security control device.
Step a 5: the first certificate card security control equipment receives a card searching request, utilizes a first certificate of a certificate card reading device to sign and verify a card searching request signature value SD1, utilizes an authentication decryption key to decrypt a card searching request data ciphertext D1 after the card searching request signature value passes the signature verification, obtains card searching request data D1, and generates card searching request response data rd1 according to the card searching request data D1;
as an optional implementation manner of this embodiment, after receiving the card searching request, the first credential security control device verifies the received first certificate of the credential card reading device and the second certificate of the credential card reading device by using the root certificate, so as to prevent an illegal party from tampering the first public key in the first certificate of the credential card reading device and the second public key in the second certificate of the credential card reading device, thereby implementing security authentication on the credential card reading device and improving the security of interaction between the two parties.
In this embodiment, the authentication decryption key is the same key as the authentication encryption key in step a3, that is, a symmetric key, and is pre-embedded in the first credential card security control device and the credential card reading device, the credential card reading device encrypts the data, which is first sent to the first credential card security control device, by using the symmetric key, and the first credential card security control device decrypts the data, which is first received by the first credential card security control device and sent by the credential card reading device, by using the symmetric key, so as to ensure the security of the first data transmission between the credential card reading device and the first credential card security control device. Optionally, the authentication encryption key and the authentication decryption key are stored in a key database, and the first certificate card security control device may read the authentication decryption key from the key database and store the authentication decryption key locally in the first certificate card security control device. The credential card reader device may also read the authentication encryption key from a key database and store it locally on the credential card reader device.
Step a 6: the first certificate card security control equipment generates a session key R3, encrypts the card searching request response data RD1 by using the session key to obtain a card searching request response data ciphertext RD1, encrypts the session key by using a second certificate of the certificate card reading device to obtain a session key ciphertext R3, signs the card searching request response data ciphertext and the session key ciphertext by using a private key of the first certificate card security control equipment to obtain a card searching request response signature value SRD 1;
step a 7: the first certificate card security control equipment sends a card searching request response to the certificate card reading device, wherein the card searching request response comprises the following steps: the card searching request response data ciphertext RD1, the session key ciphertext R3, the card searching request response signature value SRD1 and the certificate of the first certificate card security control device;
in this embodiment, after the first credential card security control device decrypts the card-seeking request data, it generates card-seeking request response data, and generates a session key, where the session key may be one or a string of random numbers, or one or a string of random characters, or any combination of a string of random numbers and random characters. And the session key is used for encrypting the card searching request response data, so that the security of the card searching request response data in network transmission is ensured. In addition, the session key is used as a randomly generated key and is not easy to be stolen by illegal molecules. In this embodiment, except that the data first transmitted by the credential card reading device and the first credential card security control device is encrypted by using the authentication encryption key, the data subsequently transmitted by the credential card reading device and the first credential card security control device may be encrypted by using the session key, so as to prevent the data transmission security from being reduced due to the decryption of the authentication encryption key. Because the session key adopts the form of random numbers, the random numbers adopted by the data transmitted each time are different, and the security of data transmission between the certificate card reading device and the first certificate card security control equipment can be further improved.
In this embodiment, the first credential card security control device encrypts the session key by using the public key in the second certificate of the credential card reading apparatus to obtain a session key ciphertext, thereby ensuring the security of the session key in network transmission.
In this embodiment, the first credential card security control device signs the card-seeking request response ciphertext and the session key by using a private key stored in the first credential card security control device, so that illegal molecules can be prevented from tampering with the card-seeking request response ciphertext and the session key.
In this embodiment, the card-searching request response sent by the first credential card security control device to the credential card reading device includes: the card searching request response data ciphertext, the session key ciphertext, the card searching request response signature value and the certificate of the first certificate card security control device. The certificate of the first certificate card security control device comprises a public key of the first certificate card security control device, and a private key of the first certificate card security control device and the public key of the first certificate card security control device are a pair of asymmetric key pairs and are used for signing and verifying data transmitted from the first certificate card security control device to the certificate card reading device.
As an optional implementation manner of this embodiment, the first credential card security control device may directly send a card-searching request response to the credential card reading device; or after sending the card searching request response to the scheduling device, the scheduling device sends the card searching request response to the certificate card reading device.
Step a 8: and the certificate card reading device receives the card searching request response, verifies the card searching request response signature value SRD1 by using the certificate of the first certificate card security control equipment, decrypts the session key ciphertext R3 by using the second private key of the certificate card reading device after the card searching request response signature value is verified, obtains a session key R3, and decrypts the card searching request response data ciphertext by using the session key, and obtains card searching request response data rd 1.
Step a 9: and after obtaining the card searching request response data, the certificate card reading device sends the card searching request data to the first certificate card safety control equipment, and the card searching process is finished.
As an optional implementation manner of this embodiment, after receiving the card-seeking request response, the credential card reading apparatus verifies the received certificate of the first credential card security control device by using the root certificate, so as to prevent an illegal party from tampering with the public key in the certificate of the first credential card security control device, implement security authentication on the first credential card security control device, and improve security of interaction between the two parties.
As an optional implementation manner of this embodiment, when the first credential card security control device encrypts the session key and the single authentication identifier by using the second certificate of the credential card reading device to generate a session key ciphertext, the second private key of the credential card reading device decrypts the session ciphertext to obtain the session key and the single authentication identifier, and may determine which card-seeking request is responded to according to the single authentication identifier.
As an optional implementation manner of this embodiment, before the card searching process, the credential card reading device and the first credential card security control device may negotiate a session key to further ensure security of data transmission of the card searching request, where a process of specifically negotiating the session key is as follows: the certificate card reading device encrypts the session key request data by using an authentication encryption key to obtain a session key request data ciphertext, signs the session key request data ciphertext by using a first private key of the certificate card reading device to obtain a session key request signature value, and sends a session key request to first certificate card safety control equipment, wherein the session key request comprises the session key request data ciphertext, the session key request signature value, a first certificate of the certificate card reading device and a second certificate of the certificate card reading device; the first certificate card security control equipment receives the session key request, utilizes a first certificate of the certificate card reading device to perform signature verification on the session key request signature value, and utilizes the authentication decryption key to decrypt the session key request data ciphertext after the session key request signature value passes the signature verification, so as to obtain session key request data; the first certificate card security control equipment generates a session key, encrypts the session key by using a second certificate of the certificate card reading device to obtain a session key ciphertext, signs the session key ciphertext by using a private key of the first certificate card security control equipment to obtain a session key ciphertext signature value, and sends a session key request response to the certificate card reading device, wherein the session key request response comprises: the session key ciphertext, the session key ciphertext signature value and the certificate of the first certificate card security control device; and the certificate card reading device receives the session key request response, checks the session key ciphertext signature value by using the certificate of the first certificate card safety control equipment, and decrypts the session key ciphertext by using a second private key of the certificate card reading device after the session key ciphertext signature value is checked to obtain the session key.
As an optional implementation manner of this embodiment, when a session key is negotiated before the card search process, the credential card reading device and the first credential card security control device in the card reading preparation process may directly use the session key to encrypt and decrypt the card search request data and the card search request response data, and the card search process in the card reading preparation process may be replaced with:
step a 1: the certificate card reading device sends a card searching instruction to the certificate card;
step a 2: the certificate card receives the card searching command and sends card searching confirmation data to the certificate card reading device;
step a 3: the certificate card reading device encrypts the card searching request data by using the session key to obtain a card searching request data ciphertext, and signs the card searching request data ciphertext by using a first private key of the certificate card reading device to obtain a card searching request signature value;
step a 4: the certificate card reading device sends a card searching request to the first certificate card safety control equipment, wherein the card searching request comprises a card searching request data ciphertext and a card searching request signature value;
step a 5: the first certificate card security control equipment receives the card searching request, utilizes a first certificate of the certificate card reading device to sign and verify the card searching request signature value, utilizes the session key to decrypt the card searching request data ciphertext after the card searching request signature value passes the signature and verification, obtains card searching request data d1, and generates card searching request response data rd1 according to the card searching request data d 1;
step a 6: the first certificate card security control equipment encrypts the card searching request response data by using the session key to obtain a card searching request response data ciphertext, and signs the card searching request response data ciphertext by using a private key of the first certificate card security control equipment to obtain a card searching request response signature value;
step a 7: the first certificate card security control equipment sends a card searching request response to the certificate card reading device, wherein the card searching request response comprises the following steps: the card searching request response data cipher text and the card searching request response signature value;
step a 8: the certificate card reading device checks the received card searching request response signature value by using the certificate of the first certificate card safety control equipment, and decrypts the received card searching request response data ciphertext by using the session key after the card searching request response signature value passes the check, so as to obtain the card searching request response data.
Step a 9: and the certificate card reading device sends card searching confirmation data to the first certificate card safety control equipment.
The steps a1-a9 complete the card searching process, the card searching process also includes a card selecting process after the card searching process is finished, and the first certificate card safety control device can confirm which certificate card is read through the card selecting process. As an optional implementation manner of this embodiment, after the step a9, the following implementation steps (a10-a18) of the card selection process are further included:
step a 10: after obtaining the card searching request response data, the certificate card reading device sends a card selecting instruction to the certificate card;
step a 11: the certificate card receives the card selection instruction and sends card selection confirmation data to the certificate card reading device, wherein the card selection confirmation data at least comprises a serial number of the certificate card.
Step a 12: the certificate card reading device receives the card selection confirmation data, encrypts the card selection request data D2 by using the session key to obtain a card selection request data ciphertext D2, and signs the card selection request data ciphertext by using a first private key of the certificate card reading device to obtain a card selection request signature value SD 2;
step a 13: the certificate card reading device sends a card selection request to the first certificate card safety control equipment, wherein the card selection request comprises a card selection request data ciphertext and a card selection request signature value;
step a 14: the first certificate card security control equipment receives the card selection request, utilizes a first certificate of the certificate card reading device to sign and verify the signature value of the card selection request, utilizes the session key to decrypt the data ciphertext of the card selection request after the signature verification of the signature value of the card selection request is passed, obtains card selection request data d2, and generates card searching request response data rd2 according to the card searching request data d 2;
step a 15: the first certificate card security control equipment encrypts the card selection request response data by using the session key to obtain a card selection request response data ciphertext RD2, and signs the card selection request response data ciphertext by using a private key of the first certificate card security control equipment to obtain a card selection request response signature value SRD 2;
step a 16: the first certificate card security control equipment sends a card selection request response to the certificate card reading device, wherein the card selection request response comprises: the card selection request response data ciphertext and the card selection request response signature value;
step a 17: the certificate card reading device checks the received card selection request response signature value by using the certificate of the first certificate card safety control equipment, and decrypts the received card selection request response data ciphertext by using the session key after the card selection request response signature value passes the check, so as to obtain card selection request response data rd 2;
step a 18: after obtaining the card selection request response data, the certificate card reading device encrypts the card selection confirmation data by using the session key to obtain a card selection confirmation data ciphertext, signs the card selection confirmation data ciphertext by using a first private key of the certificate card reading device to obtain a card selection confirmation data signature value, and sends the card selection confirmation data ciphertext and the card selection confirmation data signature value to the first certificate card security control equipment; and after the first certificate card safety control equipment receives the card selection confirmation data ciphertext and the card selection confirmation data signature value, the first certificate of the certificate card reading device is used for carrying out signature verification on the card selection data signature value, and after the card selection data signature value passes the signature verification, the session key is used for decrypting the card selection confirmation data ciphertext to obtain card selection confirmation data.
In this embodiment, one credential card has one security key, and different credential cards have different corresponding security keys, and the first credential card security control device stores the security keys of a plurality of credential cards, and through step a18, the first credential card security control device obtains card selection confirmation data, where the card selection confirmation data includes a serial number of the credential card, and after the first credential card security control device obtains the serial number of the credential card, the first credential card security control device can search for the security key corresponding to the credential card according to the serial number of the credential card, so as to subsequently use the security key to implement bidirectional authentication between the credential card and the first credential card security control device.
After the card selecting process is finished, the preparation before the card reading process is started mainly comprises the following steps (steps a19-a 23):
step a 19: the certificate card reading device sends a card reading instruction to the certificate card;
step a 20: the certificate card receives the card reading instruction and sends card reading confirmation data to the certificate card reading device;
step a 21: the certificate card reading device encrypts the card reading request data D3 by using the session key to obtain a card reading request data ciphertext D3, and signs the card reading request data ciphertext by using a first private key of the certificate card reading device to obtain a card reading request signature value SD 3;
step a 22: the certificate card reading device sends a card reading request to the first certificate card safety control equipment, wherein the card reading request comprises a card reading request data ciphertext and a card reading request signature value;
step a 23: the first certificate card security control equipment receives the card reading request, performs signature verification on the card reading request signature value by using a first certificate of the certificate card reading device, and decrypts the card reading request data ciphertext by using the session key after the card reading request signature value passes the signature verification, so as to obtain the card reading request data d 3.
In the above flow, the information transmitted between the credential card reading device and the first credential card security control device is forwarded through the server.
And when the card reading preparation process is finished, the first certificate safety control equipment starts the card reading process to acquire the certificate card information stored in the certificate card. Fig. 5 is a schematic diagram of a card reading process in an alternative implementation of the embodiment of the present invention, as shown in fig. 5, in the alternative implementation, the card reading process may include:
step b 1: the first certificate card security control device generates a first authentication factor r 1; encrypting the first authentication factor by using the session key to obtain a first authentication factor ciphertext R1, and signing the first authentication factor ciphertext by using a private key of the first certificate card security control equipment to obtain a first authentication factor signature value SR 1; this step may follow step a 23.
Step b 2: the first certificate card security control equipment sends a card reading request response to the certificate card reading device, wherein the card reading request response comprises: a first authentication factor ciphertext and a first authentication factor signature value;
step b 3: the certificate card reading device receives the card reading request response, utilizes the certificate of the first certificate card security control equipment to sign and verify the first authentication factor signature value SR1, and utilizes the session key to decrypt the first authentication factor ciphertext R1 after the first authentication factor signature value passes the signature and verification, so as to obtain the first authentication factor R1.
Step b 4: the certificate card reading device sends a first authentication factor r1 to the certificate card;
in this embodiment, the first authentication factor may be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random characters.
In this embodiment, the credential card reading device sends the first authentication factor to the credential card through the contactless interface, which may be an RF radio frequency module.
Step b 5: the certificate card receives the first authentication factor r1, encrypts the first authentication factor to obtain first authentication data C1 and generates a second authentication factor r 2;
step b 6: the certificate card sends first authentication data C1 and a second authentication factor r2 to the certificate card reading device;
in this embodiment, the certificate card may encrypt the first authentication factor by using a security key, where the security key is pre-embedded in the legal certificate card, and only the legal certificate card has the security key.
In this embodiment, the credential card receives the first authentication factor sent by the credential card reading device through a contactless interface, where the contactless interface may be an RF radio frequency module. In this embodiment, data between the credential card reading device and the credential card is transmitted through the non-contact interface, and details of specific implementation related to data transmission between the credential card reading device and the credential card will not be repeated.
Step b 7: the certificate card reading device receives the first authentication data and the second authentication factor, encrypts the first authentication data and the second authentication factor by using the session key to obtain a first ciphertext E1, and signs the first ciphertext by using a first private key of the certificate card reading device to obtain a first signature value S1;
in this embodiment, the second authentication factor may be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random characters. The certificate card can realize the authentication of the first certificate card safety control equipment by utilizing the second authentication factor.
In this embodiment, the session key may also be one or a string of random numbers, or may be one or a string of random characters, or any combination of a string of random numbers and random characters. And the certificate card reading device and the first certificate card safety control equipment encrypt and decrypt data transmitted between the certificate card reading device and the first certificate card safety control equipment by using the session key.
In this embodiment, an optional implementation manner of the certificate card reading device signing the first ciphertext with the first private key of the certificate card reading device to obtain the first signature value is as follows: the certificate card reading device calculates the first ciphertext by using a HASH algorithm to obtain a digest of the first ciphertext, and encrypts the digest of the first ciphertext by using a first private key of the certificate card reading device to obtain a first signature value. The first ciphertext can be prevented from being tampered by illegal molecules by signing the first ciphertext. It should be noted that, the signature process in this embodiment can be referred to in this embodiment, and the following process related to signature will not be described in detail.
Step b 8: the certificate card reading device sends a first data packet to the first certificate card safety control device, wherein the first data packet comprises: a first ciphertext E1 and a first signature value S1;
in this embodiment, the credential card reading device has a networking function, and can directly send the first data packet to the first credential card security control device through the wired network or the wireless network.
As an alternative embodiment, the credential card reading device may encrypt the first authentication data and the second authentication factor together by using the session key and transmit the encrypted first authentication data and the encrypted second authentication factor to the first credential card security control device, or of course, may encrypt the first authentication data and the encrypted second authentication factor respectively and transmit the encrypted first authentication data and the encrypted second authentication factor to the first credential card security control device respectively.
In this embodiment, the credential card reading device does not directly send the first data packet to the first credential card security control device, but first sends the first data packet to the server, and then the server distributes the first data packet to the first credential card security control device. The server schedules the data to be sent to the first certificate card safety control equipment, so that single-point faults can be prevented.
Step b 9: the first certificate card safety control equipment receives a first data packet; the first signature value S1 is signed and verified by using a first certificate of the certificate card reading device, and after the signature verification of the first signature value is passed, the first ciphertext E1 is decrypted by using the session key, so that first authentication data C1 and a second authentication factor r2 are obtained; verifying the first authentication data C1, and after the first authentication data is verified, encrypting a second authentication factor r2 to obtain second authentication data C2; encrypting the second authentication data by using the session key to obtain a second ciphertext E2, and signing the second ciphertext by using a private key of the first certificate card security control equipment to obtain a second signature value S2
In this embodiment, the first certificate of the credential card reading device comprises at least a first public key of the credential card reading device, and the first public key of the credential card reading device and the first private key of the credential card reading device in step b7 are a pair of asymmetric keys.
In this embodiment, an optional implementation manner of the first credential card security control device performing signature verification on the first signature value by using the first certificate of the credential card reading device is as follows: the first certificate card safety control equipment decrypts the received first signature value by using a public key of a first certificate of the certificate card reading device to obtain an abstract of a first ciphertext, calculates the received first ciphertext by using a HASH algorithm to obtain an abstract of the first ciphertext, compares whether the abstract of the decrypted first ciphertext is the same as the abstract of the calculated first ciphertext, and if the abstract of the decrypted first ciphertext is the same as the abstract of the calculated first ciphertext, verifies the signature of the first signature value. In this embodiment, the first certificate card security control device verifies the first authentication data, which includes two implementable modes: the first method is as follows: the first certificate card security control device may decrypt the received first authentication data by using a security key built in the first certificate card security control device to obtain an authentication factor, and compare whether the decrypted authentication factor is the same as a first authentication factor generated by the first certificate card security control device, and if so, verify the first authentication data. The second method comprises the following steps: the first certificate card security control device may encrypt the first authentication factor generated by itself by using the security key corresponding to the certificate card stored in the first certificate card security control device to obtain authentication data, and compare whether the encrypted authentication data is the same as the received first authentication data, if so, verify the first authentication data. Because a security key is built in the legal certificate card manufacturing process, the same security key can be stored in the first certificate card security control device, so that the bidirectional authentication between the certificate card and the first certificate card security control device can be realized subsequently. If the first certificate card security control equipment verifies the first authentication data, the fact that the security key used by the certificate card is the same as the security key used by the first certificate card security control equipment is shown, and the certificate card is the first authentication data obtained by encrypting the first authentication factor generated by the first certificate card security control equipment, the certificate card is a legal certificate card, and the first certificate card security control equipment verifies the first authentication data to confirm the legality of the certificate card.
In this embodiment, after the first authentication data is verified, the first credential card security control device encrypts the second authentication factor by using the security key to obtain second authentication data. Similarly, the security key used by the first certificate card security control device is also pre-built in the first certificate card security control device, and only the legal first certificate card security control device has the security key. As an optional implementation manner, if the first authentication data is not verified, the certificate card reading process is ended.
Step bi 0: the first certificate card safety control equipment sends a second data packet to the certificate card reading device, and the second data packet comprises: a second ciphertext E2 and a second signature value S2;
in this embodiment, the first credential card security control device may send the second data packet to the server through the wired network or the wireless network, and the server transmits the second data packet to the credential card reading device.
Step b 11: the certificate card reading device receives the second data packet, performs signature verification on the second signature value S2 by using the certificate of the first certificate card security control equipment, and decrypts the second ciphertext E2 by using the session key after the signature verification on the second signature value is passed, so as to obtain second authentication data C2;
in this embodiment, the certificate of the first certificate card security control device at least includes the public key of the first certificate card security control device.
Step b 12: the credential card reading device sends the second authentication data C2 to the credential card;
step b 13: the certificate card verifies the second authentication data C2;
step b 14: after the certificate card verifies the second authentication data, sending a certificate card data ciphertext cd1 to the certificate card reading device;
in this embodiment, the specific implementation manner of the certificate card verifying the second authentication data is as follows: the first method is as follows: the certificate card can decrypt the received second authentication data by using a decryption key corresponding to a security key built in the certificate card to obtain an authentication factor, and compares whether the decrypted authentication factor is the same as a second authentication factor generated by the certificate card, if so, the certificate card verifies the second authentication data. The second method comprises the following steps: the certificate card can encrypt the second authentication factor generated by the certificate card by using the security key of the certificate card to obtain authentication data, and compare whether the encrypted authentication data is the same as the received second authentication data, if so, the second authentication data is verified to be passed. The certificate card verifies the second authentication data, the safety key used by the first certificate card safety control equipment is the same as the safety key built in the certificate card, the first certificate card safety control equipment is legal, and the certificate card verifies the second authentication data to confirm the legality of the first certificate card safety control equipment.
The first certificate card security control device confirms the legality of the certificate card through the first authentication factor in step b9, and the certificate card confirms the legality of the first certificate card security control device through the second authentication factor in step b 14. After the bidirectional authentication is passed, the certificate card sends a certificate card data ciphertext to the certificate card reading device, wherein the certificate card data ciphertext is a ciphertext of data such as a certificate card number, a name, a photo, an age, an address, a card service life and/or a fingerprint.
Step b 15: the certificate card reading device receives the certificate card data ciphertext cd1, encrypts the certificate card data ciphertext by using the session key to obtain a third ciphertext E3, and signs the third ciphertext by using the first private key of the certificate card reading device to obtain a third signature value S3;
in this embodiment, the credential card reading device encrypts the credential card data ciphertext using the session key, thereby ensuring the security of the credential card data ciphertext in the network transmission process. In addition, the third ciphertext is signed by using the first private key of the certificate card reading device, so that illegal molecules can be prevented from tampering with the third ciphertext.
Step b 16: the certificate card reading device sends a third data packet to the first certificate card safety control device, and the third data packet comprises: a third ciphertext E3 and a third signature value S3;
step b 17: the first certificate card security control equipment receives the third data packet, performs signature verification on the third signature value S3 by using the first certificate of the certificate card reading device, and decrypts the third ciphertext E3 by using the session key after the signature verification on the third signature value is passed, so as to obtain a certificate card data ciphertext cd 1; decrypting the certificate card data ciphertext to obtain a certificate card data plaintext cd 2; encrypting the certificate card data plaintext cd2 by using the session key to obtain a fourth ciphertext E4, and signing the fourth ciphertext by using a private key of the first certificate card security control device to obtain a fourth signature value S4;
optionally, the information included in the certificate card data ciphertext may be sent to the first certificate card security control device through one data packet at a time, and of course, the information included in the certificate card data ciphertext may also be sent to the first certificate card security control device through a plurality of data packets in multiple times.
In this embodiment, after the first certificate card security control device decrypts the third ciphertext to obtain the certificate card data ciphertext, the module that is arranged in the first certificate card security control device and can decrypt the ciphertext data read from the certificate card is used to decrypt the certificate card data ciphertext to obtain the certificate card data plaintext. The session key is used for encrypting the certificate card data plaintext, so that the safety of the certificate card data plaintext in the network transmission process is ensured; and the fourth ciphertext is signed by using the private key of the first certificate card safety control equipment, so that illegal molecules can be prevented from tampering with the fourth ciphertext.
Step b 18: the first certificate card safety control equipment sends a fourth data packet to the certificate card reading device, and the fourth data packet comprises: a fourth ciphertext E4 and a fourth signature value S4;
step b 19: the certificate card reading device receives the fourth data packet, performs signature verification on the fourth signature value S4 by using the certificate of the first certificate card security control equipment, and decrypts the fourth ciphertext E4 by using the session key after the signature verification on the fourth signature value is passed, so as to obtain the certificate card data plaintext cd 2; the credential card reader device can then send the credential card data in the clear to the terminal.
In this embodiment, the plaintext of the certificate card data is generally the plaintext of data such as the certificate card number, name, photo, age, address, age of the card, and/or fingerprint. As an optional implementation manner of this embodiment, after the certificate card reading device decrypts the certificate card data plaintext, the certificate card data plaintext is sent to the terminal, and the terminal displays or stores the certificate card data plaintext.
Through the process, the bidirectional authentication is completed by the interaction of the first authentication factor and the second authentication factor between the certificate card and the first certificate card safety control equipment, and the first certificate card safety control equipment decrypts the certificate card data ciphertext to obtain the certificate card data plaintext and sends the certificate card data plaintext to the certificate card reading device to complete the reading of the certificate card.
It can be seen from the above technical solutions that, in the solution provided by the embodiments of the present invention, the certificate card security control module is removed from the certificate card reading device, the certificate card reading device can only communicate with the certificate card, and the certificate card information needs to be read by the certificate card security control device disposed at the background, so that the cost of the certificate card radio frequency device can be reduced, and a plurality of terminals can be verified by the same certificate card security control device, thereby improving the utilization rate of the certificate card security control device.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (14)
1. A method for acquiring information of a certificate card is characterized by comprising the following steps:
step 1, a terminal sends an operation request to a certificate card reading device;
step 2, the certificate card reading device receives the operation request;
step 3, periodically broadcasting a card searching instruction by the certificate card reading device;
step 4, the certificate card reading device receives a response message returned by the certificate card and judges that the response message is the card searching confirmation data aiming at the card searching instruction;
step 5, the certificate card reading device stops broadcasting the card searching command and sends a card searching request to a server;
step 6, the server receives the card searching request and sends the card searching request to first certificate card safety control equipment;
step 7, the first certificate card security control equipment receives the card searching request and sends a card searching response to the certificate card reading device through the server, wherein the card searching response carries card searching response data;
step 8, the certificate card reading device receives the card searching response sent by the first certificate card safety control equipment, and obtains the card searching response data;
step 9, the certificate card reading device determines that the card searching response data is response data responding to the card searching request, and sends the card searching confirmation data to the first certificate card security control device through the server;
step 10, the certificate card reading device sends a card selection instruction to the certificate card;
step 11, the certificate card reading device receives card selection confirmation data sent by the certificate card, wherein the card selection confirmation data at least comprises unique identification information of the certificate card;
step 12, the certificate card reading device sends a card selection request to the first certificate card security control equipment through the server;
step 13, the first certificate card security control equipment receives the card selection request;
step 14, the first certificate card security control equipment sends a card selection request response to the certificate card reading device through the server;
step 15, the certificate card reading device receives a card selection request response sent by the first certificate card security control equipment;
step 16, the certificate card reading device determines that the card selection request response is response data for the card selection request, and sends the card selection confirmation data to the first certificate card security control device through the server;
step 17, the certificate card reading device sends a card reading instruction to the certificate card;
step 18, the certificate card reading device receives card reading confirmation data returned by the certificate card;
step 19, the certificate card reading device sends a card reading request to the server;
step 20, the server sends the card reading request to a first certificate card safety control device;
step 21, the first certificate card security control equipment receives the card reading request, starts a process of reading certificate card information, and reads the certificate card information stored in the certificate card through information interaction between the server and the certificate card reading device and the certificate card;
step 22, the first certificate card security control equipment sends the read certificate card information to the certificate card reading device through a server;
and step 23, the certificate card reading device receives and sends the certificate card information to the terminal.
2. The method of claim 1,
the card searching request at least carries first identity authentication data; before the first credential card security control device returns the card-searching response to the credential card reading device through the server, the method further includes: the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to the first identity authentication data carried in the card searching request, and if the identity of the certificate card reading device passes the authentication, the first certificate card safety control equipment returns the card searching response to the certificate card reading device through the server; and/or
The card searching response at least carries second identity authentication data; after the credential card reading device receives the card searching response sent by the first credential card security control device through the server, before sending the card searching confirmation data to the first credential card security control device through the server, the method further includes: the certificate card reading device authenticates the identity of the first certificate card safety control equipment according to the second identity authentication data, and executes the step of sending the card searching confirmation data to the first certificate card safety control equipment through the server under the condition that the authentication is passed; and/or
The card selection request carries third identity authentication data; after the first credential card security control device receives the card selection request and before a card selection request response is sent to the credential card reading device by the server, the method further comprises: the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to third identity authentication data carried in the card selection request, and executes the step of sending a card selection request response to the certificate card reading device through the server under the condition that the authentication is passed; and/or
The card selection request response at least carries fourth identity authentication data; after the credential card reading device receives the card selection request response sent by the first credential card security control device, before sending the card selection confirmation data to the first credential card security control device through the server, the method further includes: the certificate card reading device analyzes information carried in the card selection request response, acquires fourth identity authentication data carried in the card selection request response, authenticates the identity of the first certificate card safety control equipment according to the fourth identity authentication data, and executes the step of sending the card selection confirmation data to the first certificate card safety control equipment through the server under the condition that the authentication is passed; and/or
The card reading request at least carries fifth identity authentication data; after the first credential card security control device receives the card reading request and before starting a process of reading credential card information, the method further includes: and the first certificate card safety control equipment authenticates the identity of the certificate card reading device according to the fifth authentication data carried in the card reading request, and executes the step of starting the process of reading the certificate card information under the condition that the authentication is passed.
3. The method according to claim 1 or 2,
before the first credential card security control device starts the process of reading credential card information, the method further includes: the certificate card reading device and the first certificate card safety control equipment negotiate through the server, and a session key is obtained by the certificate card reading device and the first certificate card safety control equipment;
after the certificate card reading device and the first certificate card safety control equipment obtain a session key, in the subsequent communication process of the certificate card reading device and the first certificate card safety control equipment, the certificate card reading device and the first certificate card safety control equipment respectively encrypt and decrypt sent and received data by using the session key.
4. The method of any of claims 1-3, wherein the server sending the card-seeking request to the first credential card security control device comprises:
the server selects the first certificate card safety control equipment from a plurality of certificate card safety control equipment;
and the server sends the card searching request to the selected first certificate card safety control equipment.
5. The method of any of claims 1 to 4, wherein after the terminal receives the credential card information, the method further comprises:
and the terminal displays and/or sends the certificate card information to a storage device for storage.
6. A credential card information acquisition device, comprising:
the first transceiver module is used for receiving an operation request sent by a terminal;
the second transceiving module is used for periodically broadcasting a card searching instruction and receiving a response message returned by the certificate card;
the processing module is used for judging that the response message is card searching confirmation data aiming at the card searching instruction; if so, instructing the second transceiver module to stop broadcasting the card searching instruction, and instructing a third transceiver module to send a card searching request to the first certificate card security control device through a server;
the third transceiver module is configured to send the card searching request through the server, and receive the card searching response returned by the first credential card security control device through the server;
the processing module is further configured to obtain the card searching response data from the card searching response, determine that the card searching response data is response data in response to the card searching request, and instruct the third transceiver module to send the card searching confirmation data to the first credential card security control device through the server;
the second transceiver module is further configured to send a card selection instruction to the credential card and receive card selection confirmation data sent by the credential card, where the card selection confirmation data at least includes unique identification information of the credential card;
the third transceiver module is further configured to send a card selection request to the first credential card security control device through the server, and receive a card selection request response sent by the first credential card security control device through the server;
the processing module is further configured to determine that the card selection request response is response data for the card selection request, and instruct the third transceiver module to send the card selection confirmation data to the first credential card security control device through the server;
the second transceiver module is further configured to send a card reading instruction to the certificate card and receive card reading confirmation data returned by the certificate card;
the third transceiver module is further configured to send a card reading request to the first certificate card security control device through the server, and instruct the first certificate card security control device to start a process of reading certificate card information; receiving first interaction information sent by the first certificate card safety control device through the server in the certificate card information reading process, and sending second interaction information sent by the certificate card to the first certificate card safety control device through the server; receiving certificate card information read from the certificate card and sent by the first certificate card security control equipment through the server;
the second transceiver module is further configured to send the first interaction information received by the third transceiver module to a certificate card, and receive second interaction information sent by the certificate card;
the first transceiver module is further configured to send the certificate card information received by the third transceiver module to the terminal.
7. The apparatus according to claim 6, wherein the processing module is further configured to obtain first identity authentication data before the third transceiver module sends the card searching request, and carry the first identity authentication data in the card searching request; and/or
The card searching response at least carries second identity authentication data; the processing module is further configured to authenticate the identity of the first certificate card security control device according to the second identity authentication data after the third transceiver module receives a card searching response sent by the first certificate card security control device through the server and before the card searching confirmation data is sent to the first certificate card security control device through the server, and if the authentication is passed, trigger the third transceiver module to send the card searching confirmation data to the first certificate card security control device through the server; and/or
The processing module is further configured to acquire third identity authentication data before the third transceiver module sends the card selection request, and carry the third identity authentication data in the card selection request; and/or
The card selection request response at least carries fourth identity authentication data; the processing module is further configured to, after the third transceiver module receives a card selection request response sent by the first certificate card security control device, analyze information carried in the card selection request response before sending the card selection confirmation data to the first certificate card security control device through the server, obtain fourth authentication data carried in the card selection request response, authenticate the identity of the first certificate card security control device according to the fourth authentication data, and trigger the third transceiver module to send the card selection confirmation data to the first certificate card security control device through the server if the authentication is passed; and/or
The processing module is further configured to acquire fifth identity authentication data before the third transceiver module sends the card reading request, and carry the fifth identity authentication data in the card reading request.
8. The apparatus of claim 7,
the processing module is further configured to negotiate with the first certificate card security control device through the server to obtain a session key before the first certificate card security control device starts a procedure of reading certificate card information; and in the subsequent communication process with the first certificate card safety control equipment, the session key is used for encrypting and sending the data sent by the third transceiver module and decrypting the data received by the third transceiver module respectively.
9. A credential card information acquisition system, comprising: the certificate card security control system comprises a terminal, a certificate card reading device, a server and first certificate card security control equipment; wherein,
the terminal is used for sending an operation request to the certificate card reading device;
the credential card reading device comprising the device of claim 7 or 8;
the server is used for receiving a card searching request sent by the certificate card reading device and sending the card searching request to the first certificate card safety control equipment; forwarding information interacted between the certificate card reading device and the first certificate card safety control equipment;
the first certificate card security control device is used for:
receiving the card searching request, sending a card searching response to the certificate card reading device through the server, wherein,
the card searching response carries card searching response data;
receiving card searching confirmation data sent by the certificate card reading device through the server;
receiving a card selection request sent by the certificate card reading device through the server, and sending a card selection request response to the certificate card reading device through the server;
receiving a card reading request sent by the certificate card reading device through the server, starting a process of reading certificate card information, and reading certificate card information stored in the certificate card through information interaction between the server and the certificate card reading device as well as the certificate card;
and sending the read information of the certificate card to the certificate card reading device through a server.
10. The system of claim 9,
the card searching request at least carries first identity authentication data; the first certificate card security control device is further configured to authenticate the identity of the certificate card reading device according to the first identity authentication data carried in the card searching request before the card searching response is returned to the certificate card reading device through the server, and execute an operation of returning the card searching response to the certificate card reading device through the server if the authentication is passed; and/or
The first certificate card security control device is further configured to acquire second identity authentication data before sending the card searching response, and carry the second identity authentication data in the card searching response; and/or
The card selection request carries third identity authentication data; the first certificate card security control device is further configured to authenticate the identity of the certificate card reading device according to third identity authentication data carried in the card selection request after receiving the card selection request and before sending a card selection request response to the certificate card reading device through the server, and execute an operation of sending the card selection request response to the certificate card reading device through the server when the authentication is passed; and/or
The first certificate card security control device is further configured to acquire fourth identity authentication data before sending the card selection request response, and carry the fourth identity authentication data in the card selection request response; and/or
The card reading request at least carries fifth identity authentication data; the first certificate card security control device is further configured to authenticate the identity of the certificate card reading device according to the fifth authentication data carried in the card reading request after receiving the card reading request and before starting a process of reading certificate card information, and execute an operation of starting the process of reading certificate card information when the authentication is passed.
11. The system according to any one of claims 9 to 10,
the certificate card reading device and the first certificate card safety control equipment are also used for negotiating through the server before the first certificate card safety control equipment starts a process of reading certificate card information, and a session key is obtained by the two parties; and after the certificate card reading device and the first certificate card safety control equipment obtain a session key, encrypting and decrypting the sent and received data respectively by using the session key in the subsequent communication process of the certificate card reading device and the first certificate card safety control equipment.
12. The system according to any one of claims 9 to 11, wherein the server sends the card-seeking request to the first credential card security control device by:
selecting the first certificate card security control device from a plurality of certificate card security control devices;
and sending the card searching request to the selected first certificate card safety control equipment.
13. The system of claim 12, wherein the server selects the first credential card security control device from a plurality of credential card security control devices by:
selecting the first certificate card safety control equipment from a plurality of certificate card safety control equipment according to the pre-stored corresponding relation between the certificate card reading device and the certificate card safety control equipment; or
And selecting the certificate card safety control equipment with the current working state being idle from the plurality of certificate card safety control equipment as the first certificate card safety control equipment.
14. The system according to any one of claims 9 to 13, wherein the terminal is further configured to display and/or send the credential card information to a storage device for storage after receiving the credential card information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610787018.XA CN106372557B (en) | 2016-08-30 | 2016-08-30 | Certificate card information acquisition method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610787018.XA CN106372557B (en) | 2016-08-30 | 2016-08-30 | Certificate card information acquisition method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106372557A true CN106372557A (en) | 2017-02-01 |
| CN106372557B CN106372557B (en) | 2021-07-20 |
Family
ID=57899410
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610787018.XA Active CN106372557B (en) | 2016-08-30 | 2016-08-30 | Certificate card information acquisition method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106372557B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109285249A (en) * | 2018-09-05 | 2019-01-29 | 北京旷视科技有限公司 | A kind of testimony of a witness verifying system and method |
| CN110830486A (en) * | 2019-11-13 | 2020-02-21 | 深圳市亲邻科技有限公司 | Card reading and writing method and device based on multi-terminal communication and multi-terminal communication system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003288323A (en) * | 2002-03-28 | 2003-10-10 | Minolta Co Ltd | Authentication system, authentication device, and server device |
| CN1741028A (en) * | 2004-08-25 | 2006-03-01 | 国际商业机器公司 | Article position detecting equipment and method |
| CN1875371A (en) * | 2003-11-07 | 2006-12-06 | 阿利安科技有限公司 | Methods and apparatuses to identify devices |
| US20090144203A1 (en) * | 2007-11-29 | 2009-06-04 | Visa Usa, Inc. | Serial number and payment data based payment card processing |
| CN101727683A (en) * | 2008-10-21 | 2010-06-09 | 南开大学 | Public transport IC card identity identifying and authenticating system |
| CN102004894A (en) * | 2010-11-16 | 2011-04-06 | 上海复旦微电子股份有限公司 | Method for identifying collisions of non-contact communication tags |
| US20120066303A1 (en) * | 2010-03-03 | 2012-03-15 | Waldeck Technology, Llc | Synchronized group location updates |
| CN104636777A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining system |
| CN104639538A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining method and system |
| CN104933379A (en) * | 2015-05-20 | 2015-09-23 | 李明 | Identity card information acquisition method, device and system |
| CN106372548A (en) * | 2016-08-30 | 2017-02-01 | 李明 | Method, device and system for acquiring certificate card information |
-
2016
- 2016-08-30 CN CN201610787018.XA patent/CN106372557B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003288323A (en) * | 2002-03-28 | 2003-10-10 | Minolta Co Ltd | Authentication system, authentication device, and server device |
| CN1875371A (en) * | 2003-11-07 | 2006-12-06 | 阿利安科技有限公司 | Methods and apparatuses to identify devices |
| CN1741028A (en) * | 2004-08-25 | 2006-03-01 | 国际商业机器公司 | Article position detecting equipment and method |
| US20090144203A1 (en) * | 2007-11-29 | 2009-06-04 | Visa Usa, Inc. | Serial number and payment data based payment card processing |
| CN101727683A (en) * | 2008-10-21 | 2010-06-09 | 南开大学 | Public transport IC card identity identifying and authenticating system |
| US20120066303A1 (en) * | 2010-03-03 | 2012-03-15 | Waldeck Technology, Llc | Synchronized group location updates |
| CN102004894A (en) * | 2010-11-16 | 2011-04-06 | 上海复旦微电子股份有限公司 | Method for identifying collisions of non-contact communication tags |
| CN104636777A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining system |
| CN104639538A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining method and system |
| CN104933379A (en) * | 2015-05-20 | 2015-09-23 | 李明 | Identity card information acquisition method, device and system |
| CN106372548A (en) * | 2016-08-30 | 2017-02-01 | 李明 | Method, device and system for acquiring certificate card information |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109285249A (en) * | 2018-09-05 | 2019-01-29 | 北京旷视科技有限公司 | A kind of testimony of a witness verifying system and method |
| CN110830486A (en) * | 2019-11-13 | 2020-02-21 | 深圳市亲邻科技有限公司 | Card reading and writing method and device based on multi-terminal communication and multi-terminal communication system |
| CN110830486B (en) * | 2019-11-13 | 2022-11-25 | 深圳市亲邻科技有限公司 | Card reading and writing method and device based on multi-terminal communication and multi-terminal communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106372557B (en) | 2021-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| CN108551455B (en) | Configuration method and device of smart card | |
| CN104618115B (en) | ID card information acquisition methods and system | |
| CN104636777B (en) | ID card information obtains system | |
| CN104639538A (en) | Identity card information obtaining method and system | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN103714639A (en) | Method and system enabling safe operation of POS terminal to be achieved | |
| CN106161032A (en) | A kind of identity authentication method and device | |
| CN106027475B (en) | The transmission method and system of a kind of key acquisition method, ID card information | |
| CN106027457B (en) | A kind of ID card information transmission method and system | |
| JP5380583B1 (en) | Device authentication method and system | |
| CN106022081B (en) | A kind of card reading method of identity card card-reading terminal, identity card card-reading terminal and system | |
| CN106027250A (en) | Identity card information safety transmission method and system | |
| CN104539420A (en) | General intelligent hardware safe secret key management method | |
| CN108964897A (en) | Identity authorization system and method based on group communication | |
| CN104639542A (en) | Method and system for obtaining identity card information | |
| CN106357627B (en) | Method, system and terminal for reading resident certificate card information | |
| CN115348023A (en) | Data security processing method and device | |
| CN105592056A (en) | Password safety system for mobile device and password safety input method thereof | |
| CN106372557B (en) | Certificate card information acquisition method, device and system | |
| CN103973455B (en) | A kind of information interacting method | |
| CN106022140B (en) | Identity card read method and system | |
| CN106407859B (en) | Certificate card information acquisition method, terminal and certificate card information acquisition system | |
| CN106372554A (en) | Certificate card information collection method and system | |
| CN106027483B (en) | A kind of identity card read method and identity card card-reading terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220414 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |